/// <summary>
/// Adds response headers allowing Cross Origin Requests if the current origin request
/// passes sanitizing rules.
/// </summary>
/// <param name="context">
/// the <see cref="T:System.Web.HttpContext">HttpContext</see> object that provides
/// references to the intrinsic server objects
/// </param>
public static void AddCorsRequestHeaders(HttpContext context)
{
if (!string.IsNullOrEmpty(context.Request.Headers["Origin"]))
{
// Ensure origin is sanitized.
string origin = context.Server.UrlEncode(context.Request.Headers["Origin"]);
ImageSecuritySection.CORSOriginElement origins =
ImageProcessorConfiguration.Instance.GetImageSecuritySection().CORSOrigin;
if (origins?.WhiteList == null)
{
return;
}
// Check the url is from a whitelisted location.
if (origin != null)
{
Uri url = new Uri(origin);
string upper = url.Host.ToUpperInvariant();
// Check for root or sub domain.
bool validUrl = false;
foreach (Uri uri in origins.WhiteList)
{
if (uri.ToString() == "*")
{
validUrl = true;
break;
}
if (!uri.IsAbsoluteUri)
{
Uri rebaseUri = new Uri("http://" + uri.ToString().TrimStart('.', '/'));
validUrl = upper.StartsWith(rebaseUri.Host.ToUpperInvariant()) || upper.EndsWith(rebaseUri.Host.ToUpperInvariant());
}
else
{
validUrl = upper.StartsWith(uri.Host.ToUpperInvariant()) || upper.EndsWith(uri.Host.ToUpperInvariant());
}
if (validUrl)
{
break;
}
}
if (validUrl)
{
context.Response.AddHeader("Access-Control-Allow-Origin", origin);
}
}
}
}
