Configuring CORS policies allows ATS Configuration Manager to be accessed on other domains.
It is important to understand the implications before implementation as unintentional security risks may be introduced.
CORS settings form part of the appsettings.json file. On the root level of the application settings file for each plugin, edit (or add) the AllowedCrossOrigins configuration property.
If the AllowedCrossOrigins configuration property is not present in the appsettings.json then the default values are used.
By default, any cross-origin domain can access the ATS Configuration Manager for Cross-Origin Resource Sharing.
Setting ATS Security Manager’s CORS configuration property will effectively change the default value for the application.
AllowedCrossOrigins: Array of URL origins that can access the ATS Configuration Manager for Cross-Origin Resource Sharing (CORS)
Example 1
{
...
"AllowedCrossOrigins": [ "https://reporting-demo eu.azurewebsites.net/reporting-portal" ],
..
}
Requests from https://reporting-demo-eu.azurewebsites.net/reporting-portal will be allowed to the ATS Configuration Manager
Example 2
{
...
"AllowedCrossOrigins": [ "https://reporting-demo-eu.azurewebsites.net/reporting-portal", "https://reporting-demo-us.azurewebsites.net/reporting-portal" ],
..
}
Requests from https://reporting-demo-eu.azurewebsites.net/reporting-portal and https://reporting-demo-us.azurewebsites.net/reporting-portal will be allowed to the ATS Configuration Manager
Example 3
{
...
"AllowedCrossOrigins": [ "*" ],
..
}
Any cross-origin domain can access the ATS Configuration Manager for Cross-Origin Resource Sharing. This has the same effect as removing this configuration property from the appsettings.json since it's the same as the default setting.
Can we improve this topic?