diff --git a/src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminController.cs b/src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminController.cs index d11f69a1daa..57bf8c3a02c 100644 --- a/src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminController.cs +++ b/src/OrchardCore.Modules/OrchardCore.Cors/Controllers/AdminController.cs @@ -147,5 +147,7 @@ public async Task IndexPOST() } private static bool IsAnyOriginAllowed(CorsPolicyViewModel corsPolicyViewModel) - => corsPolicyViewModel.AllowAnyOrigin || corsPolicyViewModel.AllowedOrigins.Any(origin => origin == CorsConstants.AnyOrigin); + => corsPolicyViewModel.AllowAnyOrigin + || corsPolicyViewModel.AllowedOrigins?.Any(origin => + string.Equals(origin?.Trim(), CorsConstants.AnyOrigin, StringComparison.Ordinal)) == true; } diff --git a/src/OrchardCore.Modules/OrchardCore.Cors/Services/CorsOptionsConfiguration.cs b/src/OrchardCore.Modules/OrchardCore.Cors/Services/CorsOptionsConfiguration.cs index 61bdd2e87fd..3f78550c4dd 100644 --- a/src/OrchardCore.Modules/OrchardCore.Cors/Services/CorsOptionsConfiguration.cs +++ b/src/OrchardCore.Modules/OrchardCore.Cors/Services/CorsOptionsConfiguration.cs @@ -1,6 +1,7 @@ using Microsoft.AspNetCore.Cors.Infrastructure; using Microsoft.Extensions.Logging; using Microsoft.Extensions.Options; +using CorsConstants = Microsoft.AspNetCore.Cors.Infrastructure.CorsConstants; namespace OrchardCore.Cors.Services; @@ -16,71 +17,77 @@ public CorsOptionsConfiguration(CorsService corsService, ILogger - { - if (corsPolicy.AllowAnyHeader) - { - configurePolicy.AllowAnyHeader(); - } - else - { - configurePolicy.WithHeaders(corsPolicy.AllowedHeaders); - } + { + var corsSettings = _corsService.GetSettingsAsync().GetAwaiter().GetResult(); + if (corsSettings?.Policies == null || !corsSettings.Policies.Any()) + { + return; + } - if (corsPolicy.AllowAnyMethod) - { - configurePolicy.AllowAnyMethod(); - } - else - { - configurePolicy.WithMethods(corsPolicy.AllowedMethods); - } + foreach (var corsPolicy in corsSettings.Policies) + { + var allowAnyOrigin = corsPolicy.AllowAnyOrigin + || corsPolicy.AllowedOrigins?.Any(origin => + string.Equals(origin?.Trim(), CorsConstants.AnyOrigin, StringComparison.Ordinal)) == true; - if (corsPolicy.AllowAnyOrigin) - { - configurePolicy.AllowAnyOrigin(); - } - else - { - configurePolicy.WithOrigins(corsPolicy.AllowedOrigins); - } + if (corsPolicy.AllowCredentials && allowAnyOrigin) + { + _logger.LogWarning( + "Using AllowCredentials and AllowAnyOrigin at the same time is considered a security risk, the {PolicyName} policy will not be loaded.", + corsPolicy.Name); + continue; + } - if (corsPolicy.AllowCredentials) - { - configurePolicy.AllowCredentials(); - } - else - { - configurePolicy.DisallowCredentials(); - } + options.AddPolicy(corsPolicy.Name, configurePolicy => + { + if (corsPolicy.AllowAnyHeader) + { + configurePolicy.AllowAnyHeader(); + } + else + { + configurePolicy.WithHeaders(corsPolicy.AllowedHeaders); + } + + if (corsPolicy.AllowAnyMethod) + { + configurePolicy.AllowAnyMethod(); + } + else + { + configurePolicy.WithMethods(corsPolicy.AllowedMethods); + } + + if (allowAnyOrigin) + { + configurePolicy.AllowAnyOrigin(); + } + else + { + configurePolicy.WithOrigins(corsPolicy.AllowedOrigins); + } + + if (corsPolicy.AllowCredentials) + { + configurePolicy.AllowCredentials(); + } + else + { + configurePolicy.DisallowCredentials(); + } + + if (corsPolicy.ExposedHeaders?.Length > 0) + { + configurePolicy.WithExposedHeaders(corsPolicy.ExposedHeaders); + } + }); + + if (corsPolicy.IsDefaultPolicy) + { + options.DefaultPolicyName = corsPolicy.Name; + } + } - if (corsPolicy.ExposedHeaders?.Length > 0) - { - configurePolicy.WithExposedHeaders(corsPolicy.ExposedHeaders); - } - }); - - if (corsPolicy.IsDefaultPolicy) - { - options.DefaultPolicyName = corsPolicy.Name; - } - } - - options.DefaultPolicyName ??= corsSettings.Policies.FirstOrDefault()?.Name; - } + options.DefaultPolicyName ??= corsSettings.Policies.FirstOrDefault()?.Name; + } }