CORS for multiple domains

Hi.

I have developed a webclient/server application relatively easily with XData. Thanks for that.

The service needs to be accessed from different domains. So I have learned about CORS.

I have learned that CORS allows to define access for all domains (using the wildcard, which is the default for the cors middelware) or to one specific domain. This is what the cors middelware implements.

I have also learned that in case the service should grant access to multiple domain in a more secure way that accepting all, the response should be dynamic.
So I thought I would find an event in the cors middelware that would allow me to test the domain and tell with a boolean if it is allowed or not.

But there isn't such an event.

I can write my own custom middelware of course, but wouldn't it be better to have such an event in the cors middelware itself?

Or instead of an event, we could also think about a white list of domains instead of a single one. That combined with which methods would be allowed for each domain.

Hi Didier,

That's a good suggestion, indeed. And it's true that you can relatively easily implement that in your own custom middleware, indeed. So it's not a blocking issue.

Given this context, if you allow me, I will move this topic to Sparkle feature requests so we can track and eventually implement this.

Sure.

1 Like