/// <summary> /// Adds response headers allowing Cross Origin Requests if the current origin request /// passes sanitizing rules. /// </summary> /// <param name="context"> /// the <see cref="T:System.Web.HttpContext">HttpContext</see> object that provides /// references to the intrinsic server objects /// </param> public static void AddCorsRequestHeaders(HttpContext context) { if (!string.IsNullOrEmpty(context.Request.Headers["Origin"])) { // Ensure origin is sanitized. string origin = context.Server.UrlEncode(context.Request.Headers["Origin"]); ImageSecuritySection.CORSOriginElement origins = ImageProcessorConfiguration.Instance.GetImageSecuritySection().CORSOrigin; if (origins?.WhiteList == null) { return; } // Check the url is from a whitelisted location. if (origin != null) { Uri url = new Uri(origin); string upper = url.Host.ToUpperInvariant(); // Check for root or sub domain. bool validUrl = false; foreach (Uri uri in origins.WhiteList) { if (uri.ToString() == "*") { validUrl = true; break; } if (!uri.IsAbsoluteUri) { Uri rebaseUri = new Uri("http://" + uri.ToString().TrimStart('.', '/')); validUrl = upper.StartsWith(rebaseUri.Host.ToUpperInvariant()) || upper.EndsWith(rebaseUri.Host.ToUpperInvariant()); } else { validUrl = upper.StartsWith(uri.Host.ToUpperInvariant()) || upper.EndsWith(uri.Host.ToUpperInvariant()); } if (validUrl) { break; } } if (validUrl) { context.Response.AddHeader("Access-Control-Allow-Origin", origin); } } } }