public static void AddCorsHeaders(this HttpResponseMessage response, CorsResult result)
{
foreach (var item in result.ToResponseHeaders())
{
response.Headers.TryAddWithoutValidation(item.Key, item.Value);
}
}
/// <summary>
/// Try to validate the requested method based on <see cref="CorsPolicy"/>.
/// </summary>
/// <param name="requestContext">The <see cref="CorsRequestContext"/>.</param>
/// <param name="policy">The <see cref="CorsPolicy"/>.</param>
/// <param name="result">The <see cref="CorsResult"/>.</param>
/// <returns><c>true</c> if the requested method is valid; otherwise, <c>false</c>. </returns>
/// <exception cref="System.ArgumentNullException">
/// requestContext
/// or
/// policy
/// or
/// result
/// </exception>
public virtual bool TryValidateMethod(CorsRequestContext requestContext, CorsPolicy policy, CorsResult result)
{
if (requestContext == null)
{
throw new ArgumentNullException("requestContext");
}
if (policy == null)
{
throw new ArgumentNullException("policy");
}
if (result == null)
{
throw new ArgumentNullException("result");
}
if (policy.AllowAnyMethod ||
policy.Methods.Contains(requestContext.AccessControlRequestMethod))
{
result.AllowedMethods.Add(requestContext.AccessControlRequestMethod);
}
else
{
result.ErrorMessages.Add(String.Format(
CultureInfo.CurrentCulture,
SRResources.MethodNotAllowed,
requestContext.AccessControlRequestMethod));
}
return result.IsValid;
}
public override bool TryValidateOrigin(CorsRequestContext requestContext, CorsPolicy policy, CorsResult result)
{
if (requestContext == null)
{
throw new ArgumentNullException(nameof(requestContext));
}
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
if (result == null)
{
throw new ArgumentNullException(nameof(result));
}
if (requestContext.Origin != null)
{
if (policy.AllowAnyOrigin)
{
if (policy.SupportsCredentials)
{
result.AllowedOrigin = requestContext.Origin;
}
else
{
result.AllowedOrigin = CorsConstants.AnyOrigin;
}
}
else if (policy.Origins.Any(x => UrlExtensions.IsSubdomainOf(requestContext.Origin, x)))
{
result.AllowedOrigin = requestContext.Origin;
}
else
{
result.ErrorMessages.Add($"Origin {requestContext.Origin} not allowed");
}
}
else
{
result.ErrorMessages.Add("No origin header present");
}
return result.IsValid;
}
/// <summary>
/// Evaluates the policy.
/// </summary>
/// <param name="requestContext">The <see cref="CorsRequestContext" />.</param>
/// <param name="policy">The <see cref="CorsPolicy" />.</param>
/// <returns>
/// The <see cref="CorsResult" />
/// </returns>
/// <exception cref="System.ArgumentNullException">
/// requestContext
/// or
/// policy
/// </exception>
public virtual CorsResult EvaluatePolicy(
CorsRequestContext requestContext,
CorsPolicy policy
)
{
if (requestContext == null)
{
throw new ArgumentNullException("requestContext");
}
if (policy == null)
{
throw new ArgumentNullException("policy");
}
CorsResult result = new CorsResult();
if (!TryValidateOrigin(requestContext, policy, result))
{
return(result);
}
result.SupportsCredentials = policy.SupportsCredentials;
if (requestContext.IsPreflight)
{
if (!TryValidateMethod(requestContext, policy, result))
{
return(result);
}
if (!TryValidateHeaders(requestContext, policy, result))
{
return(result);
}
result.PreflightMaxAge = policy.PreflightMaxAge;
}
else
{
AddHeaderValues(result.AllowedExposedHeaders, policy.ExposedHeaders);
}
return(result);
}
/// <summary>
/// Writes the CORS headers on the response.
/// </summary>
/// <param name="response">The <see cref="HttpResponseMessage"/>.</param>
/// <param name="corsResult">The <see cref="CorsResult"/>.</param>
/// <exception cref="System.ArgumentNullException">
/// response
/// or
/// corsResult
/// </exception>
public static void WriteCorsHeaders(this HttpResponseMessage response, CorsResult corsResult)
{
if (response == null)
{
throw new ArgumentNullException("response");
}
if (corsResult == null)
{
throw new ArgumentNullException("corsResult");
}
IDictionary<string, string> corsHeaders = corsResult.ToResponseHeaders();
if (corsHeaders != null)
{
foreach (KeyValuePair<string, string> header in corsHeaders)
{
response.Headers.TryAddWithoutValidation(header.Key, header.Value);
}
}
}
/// <summary>
/// Evaluates the policy.
/// </summary>
/// <param name="requestContext">The <see cref="CorsRequestContext" />.</param>
/// <param name="policy">The <see cref="CorsPolicy" />.</param>
/// <returns>
/// The <see cref="CorsResult" />
/// </returns>
/// <exception cref="System.ArgumentNullException">
/// requestContext
/// or
/// policy
/// </exception>
public virtual CorsResult EvaluatePolicy(CorsRequestContext requestContext, CorsPolicy policy)
{
if (requestContext == null)
{
throw new ArgumentNullException("requestContext");
}
if (policy == null)
{
throw new ArgumentNullException("policy");
}
CorsResult result = new CorsResult();
if (!TryValidateOrigin(requestContext, policy, result))
{
return result;
}
result.SupportsCredentials = policy.SupportsCredentials;
if (requestContext.IsPreflight)
{
if (!TryValidateMethod(requestContext, policy, result))
{
return result;
}
if (!TryValidateHeaders(requestContext, policy, result))
{
return result;
}
result.PreflightMaxAge = policy.PreflightMaxAge;
}
else
{
AddHeaderValues(result.AllowedExposedHeaders, policy.ExposedHeaders);
}
return result;
}
/// <summary>
/// Try to validate the requested method based on <see cref="CorsPolicy"/>.
/// </summary>
/// <param name="requestContext">The <see cref="CorsRequestContext"/>.</param>
/// <param name="policy">The <see cref="CorsPolicy"/>.</param>
/// <param name="result">The <see cref="CorsResult"/>.</param>
/// <returns><c>true</c> if the requested method is valid; otherwise, <c>false</c>. </returns>
/// <exception cref="System.ArgumentNullException">
/// requestContext
/// or
/// policy
/// or
/// result
/// </exception>
public virtual bool TryValidateMethod(
CorsRequestContext requestContext,
CorsPolicy policy,
CorsResult result
)
{
if (requestContext == null)
{
throw new ArgumentNullException("requestContext");
}
if (policy == null)
{
throw new ArgumentNullException("policy");
}
if (result == null)
{
throw new ArgumentNullException("result");
}
if (
policy.AllowAnyMethod ||
policy.Methods.Contains(requestContext.AccessControlRequestMethod)
)
{
result.AllowedMethods.Add(requestContext.AccessControlRequestMethod);
}
else
{
result.ErrorMessages.Add(
String.Format(
CultureInfo.CurrentCulture,
SRResources.MethodNotAllowed,
requestContext.AccessControlRequestMethod
)
);
}
return(result.IsValid);
}
/// <summary>
/// Try to validate the requested headers based on <see cref="CorsPolicy"/>.
/// </summary>
/// <param name="requestContext">The <see cref="CorsRequestContext"/>.</param>
/// <param name="policy">The <see cref="CorsPolicy"/>.</param>
/// <param name="result">The <see cref="CorsResult"/>.</param>
/// <returns><c>true</c> if the requested headers are valid; otherwise, <c>false</c>. </returns>
/// <exception cref="System.ArgumentNullException">
/// requestContext
/// or
/// policy
/// or
/// result
/// </exception>
public virtual bool TryValidateHeaders(
CorsRequestContext requestContext,
CorsPolicy policy,
CorsResult result
)
{
if (requestContext == null)
{
throw new ArgumentNullException("requestContext");
}
if (policy == null)
{
throw new ArgumentNullException("policy");
}
if (result == null)
{
throw new ArgumentNullException("result");
}
if (
policy.AllowAnyHeader ||
requestContext.AccessControlRequestHeaders.IsSubsetOf(policy.Headers)
)
{
AddHeaderValues(result.AllowedHeaders, requestContext.AccessControlRequestHeaders);
}
else
{
result.ErrorMessages.Add(
String.Format(
CultureInfo.CurrentCulture,
SRResources.HeadersNotAllowed,
String.Join(",", requestContext.AccessControlRequestHeaders)
)
);
}
return(result.IsValid);
}
private bool TryEvaluateCorsPolicy(CorsRequestContext requestContext, CorsPolicy corsPolicy, out CorsResult corsResult)
{
ICorsEngine engine = _httpConfiguration.GetCorsEngine();
corsResult = engine.EvaluatePolicy(requestContext, corsPolicy);
return corsResult != null && corsResult.IsValid;
}
/// <summary>
/// Try to validate the request origin based on <see cref="CorsPolicy"/>.
/// </summary>
/// <param name="requestContext">The <see cref="CorsRequestContext"/>.</param>
/// <param name="policy">The <see cref="CorsPolicy"/>.</param>
/// <param name="result">The <see cref="CorsResult"/>.</param>
/// <returns><c>true</c> if the request origin is valid; otherwise, <c>false</c>. </returns>
/// <exception cref="System.ArgumentNullException">
/// requestContext
/// or
/// policy
/// or
/// result
/// </exception>
public virtual bool TryValidateOrigin(CorsRequestContext requestContext, CorsPolicy policy, CorsResult result)
{
if (requestContext == null)
{
throw new ArgumentNullException("requestContext");
}
if (policy == null)
{
throw new ArgumentNullException("policy");
}
if (result == null)
{
throw new ArgumentNullException("result");
}
if (requestContext.Origin != null)
{
if (policy.AllowAnyOrigin)
{
if (policy.SupportsCredentials)
{
result.AllowedOrigin = requestContext.Origin;
}
else
{
result.AllowedOrigin = CorsConstants.AnyOrigin;
}
}
else if (policy.Origins.Contains(requestContext.Origin))
{
result.AllowedOrigin = requestContext.Origin;
}
else
{
result.ErrorMessages.Add(String.Format(
CultureInfo.CurrentCulture,
SRResources.OriginNotAllowed,
requestContext.Origin));
}
}
else
{
result.ErrorMessages.Add(SRResources.NoOriginHeader);
}
return result.IsValid;
}
/// <summary>
/// Try to validate the requested headers based on <see cref="CorsPolicy"/>.
/// </summary>
/// <param name="requestContext">The <see cref="CorsRequestContext"/>.</param>
/// <param name="policy">The <see cref="CorsPolicy"/>.</param>
/// <param name="result">The <see cref="CorsResult"/>.</param>
/// <returns><c>true</c> if the requested headers are valid; otherwise, <c>false</c>. </returns>
/// <exception cref="System.ArgumentNullException">
/// requestContext
/// or
/// policy
/// or
/// result
/// </exception>
public virtual bool TryValidateHeaders(CorsRequestContext requestContext, CorsPolicy policy, CorsResult result)
{
if (requestContext == null)
{
throw new ArgumentNullException("requestContext");
}
if (policy == null)
{
throw new ArgumentNullException("policy");
}
if (result == null)
{
throw new ArgumentNullException("result");
}
if (policy.AllowAnyHeader ||
requestContext.AccessControlRequestHeaders.IsSubsetOf(policy.Headers))
{
AddHeaderValues(result.AllowedHeaders, requestContext.AccessControlRequestHeaders);
}
else
{
result.ErrorMessages.Add(String.Format(
CultureInfo.CurrentCulture,
SRResources.HeadersNotAllowed,
String.Join(",", requestContext.AccessControlRequestHeaders)));
}
return result.IsValid;
}
public virtual bool TryValidateOrigin(CorsRequestContext requestContext, CorsPolicy policy, CorsResult result)
{
if (requestContext == null)
{
throw new ArgumentNullException("requestContext");
}
if (policy == null)
{
throw new ArgumentNullException("policy");
}
if (result == null)
{
throw new ArgumentNullException("result");
}
if (requestContext.Origin != null)
{
if (policy.AllowAnyOrigin)
{
if (policy.SupportsCredentials)
{
result.AllowedOrigin = requestContext.Origin;
}
else
{
result.AllowedOrigin = CorsConstants.AnyOrigin;
}
}
else if (policy.Origins.Contains(requestContext.Origin))
{
result.AllowedOrigin = requestContext.Origin;
}
else
{
result.ErrorMessages.Add(string.Format(CultureInfo.CurrentCulture, "OriginNotAllowed=The origin '{0}' is not allowed.", new object[] { requestContext.Origin }));
}
}
else
{
result.ErrorMessages.Add("The request does not contain the Origin header.");
}
return(result.IsValid);
}
public virtual bool TryValidateHeaders(CorsRequestContext requestContext, CorsPolicy policy, CorsResult result)
{
if (requestContext == null)
{
throw new ArgumentNullException("requestContext");
}
if (policy == null)
{
throw new ArgumentNullException("policy");
}
if (result == null)
{
throw new ArgumentNullException("result");
}
if (policy.AllowAnyHeader || requestContext.AccessControlRequestHeaders.IsSubsetOf(policy.Headers))
{
AddHeaderValues(result.AllowedHeaders, requestContext.AccessControlRequestHeaders);
}
else
{
result.ErrorMessages.Add(string.Format(CultureInfo.CurrentCulture, "The collection of headers '{0}' is not allowed.", new object[] { string.Join(",", requestContext.AccessControlRequestHeaders) }));
}
return(result.IsValid);
}
private void WriteCorsHeaders(CorsResult result, OAuthValidateTokenRequestContext context)
{
var headers = result.ToResponseHeaders();
if (headers != null)
{
foreach (var header in headers)
{
context.Response.Headers.Append(header.Key, header.Value);
}
}
}
private bool TryEvaluateCorsPolicy(CorsPolicy policy, CorsRequestContext corsRequestContext, out CorsResult result)
{
result = _corsEngine.EvaluatePolicy(corsRequestContext, policy);
return result != null && result.IsValid;
}
private static void WriteCorsHeaders(IOwinContext context, CorsResult result)
{
IDictionary<string, string> corsHeaders = result.ToResponseHeaders();
if (corsHeaders != null)
{
foreach (var header in corsHeaders)
{
context.Response.Headers.Set(header.Key, header.Value);
}
}
}
/// <summary>
/// Try to validate the request origin based on <see cref="CorsPolicy"/>.
/// </summary>
/// <param name="requestContext">The <see cref="CorsRequestContext"/>.</param>
/// <param name="policy">The <see cref="CorsPolicy"/>.</param>
/// <param name="result">The <see cref="CorsResult"/>.</param>
/// <returns><c>true</c> if the request origin is valid; otherwise, <c>false</c>. </returns>
/// <exception cref="System.ArgumentNullException">
/// requestContext
/// or
/// policy
/// or
/// result
/// </exception>
public virtual bool TryValidateOrigin(CorsRequestContext requestContext, CorsPolicy policy, CorsResult result)
{
if (requestContext == null)
{
throw new ArgumentNullException("requestContext");
}
if (policy == null)
{
throw new ArgumentNullException("policy");
}
if (result == null)
{
throw new ArgumentNullException("result");
}
if (requestContext.Origin != null)
{
if (policy.AllowAnyOrigin)
{
if (policy.SupportsCredentials)
{
result.AllowedOrigin = requestContext.Origin;
}
else
{
result.AllowedOrigin = CorsConstants.AnyOrigin;
}
}
else if (policy.Origins.Contains(requestContext.Origin))
{
result.AllowedOrigin = requestContext.Origin;
}
else
{
result.ErrorMessages.Add(String.Format(
CultureInfo.CurrentCulture,
SRResources.OriginNotAllowed,
requestContext.Origin));
}
}
else
{
result.ErrorMessages.Add(SRResources.NoOriginHeader);
}
return(result.IsValid);
}
