1

Objective:

Dynamically pass cors origins to the cors policy from named values.

Example:

Suppose I have the following named values:

name: cors-origins
value: https://domain1.com;https://domain2.com

and the CORS policy which intends to make use of this named value cors-origins:

<policies>
<inbound>
    <cors>
        <allowed-origins>
            // Here I need to use {{ cors-origins }}
            // The expected output is:
            // <origin>https://domain1.com</origin>
            // <origin>https://domain2.com</origin>
        </allowed-origins>
        <allowed-methods>
            <method>GET</method>
            <method>POST</method>
        </allowed-methods>
    </cors>
</inbound>
<backend>
    <forward-request />
</backend>
<outbound />
<on-error />
</policies>

What I tried so far:

  1. Dynamically creating the <allowed-origins> section:

Snippet:

...
<cors>
     @{
        var origins = "{{cors-origins}}".Split(';');
        return new XElement("allowed-origins", origins.Select(domain => new XElement("origin",domain)));
        // outputs:
        // <allowed-origins>
        //   <origin>https://domain1.com</origin>
        //   <origin>https://domain2.com</origin>
        // </allowed-origins>
     }
   
...
</cors>

Errors with: The element 'cors' cannot contain text. List of possible elements expected: 'allowed-origins, allowed-headers, expose-headers, allowed-methods'

  1. Dynamically creating only the <origin> elements.

Question: Is there a way to achieve the intended goal?

Cristian E.
  • 3,116
  • 7
  • 31
  • 61
  • did you checked this link-https://devblogs.microsoft.com/aspnet/manage-cors-policy-dynamically/ – RKM Oct 21 '21 at 09:54
  • Did you find a solution? I'm facing basically the same problem while trying to dynamically create `
    ` items inside the `` parent element.
     – Dan May 12 '22 at 17:09
  • 1
    @Dan Our devops ended up writing a bash script for generating the APIM template file itself, as part of the provisioning pipeline. I could not find a way to do it using the inbuilt syntax. – Cristian E. May 13 '22 at 19:11

1 Answers1

0

Not possible to dynamically add tags in APIM policies. What you can do is to read the request origin from the request header and check if it exists in one of the list of allowed origins.

Reference: How to make Azure API Management (API Gateway) CORS policy dynamic?

For your case it should be something like:

<fragment>
<cors allow-credentials="true">
    <allowed-origins>
        <origin>@{
            var origins = "{{cors-origins}}".Split(';');
            string origin = context.Request.Headers.GetValueOrDefault("Origin", "");
            bool isAllowedOrigin = Array.IndexOf(origins, origin) > -1;
            return isAllowedOrigin ? origin : "";
        }</origin>
    </allowed-origins>
    <allowed-methods preflight-result-max-age="300">
        <method>*</method>
    </allowed-methods>
    <allowed-headers>
        <header>*</header>
    </allowed-headers>
    <expose-headers>
        <header>*</header>
    </expose-headers>
</cors>
Ahmed El Kilani
  • 345
  • 1
  • 8