CORS settings & dynamic frontend environments

[johnkors]

Hi,

Not sure if there is a feature for this already, but I could not find it in ASP.NET Core 3.1.

There are cloud hosting scenarios where the URL is dynamic, especially in frontend hosting providers like Heroku, Vercel or Netlify. The workflow process automatically provisions environments when opening a PR on GitHub. For example, in case of Heroku review apps , this would mean I would get a url on a predictable pattern, but with the subdomain changing:

• https://somepredictable-pr122.herokuapp.com
• https://somepredictable-pr123.herokuapp.com
  etc.

I expect it would be similar for Azure Static Web Apps, as well.

Often we need to set CORS settings in APIs, to allow requests from these domains. Currently, I can only set a wildcard setting on the CORS policy:

services.AddCors(options =>
{
  options.AddDefaultPolicy(builder =>
  {
      builder.WithOrigins("https://*.domain").SetIsOriginAllowedToAllowWildcardSubdomains()
  }
}

, but of course, I don't want any app on Heroku to be allowed here. Just the ones with my somepredictable prefix in the subdomain.

It would be nice to get an extension point for validation,

builder.WithOriginsValidator<MyCustomDynamicHerokuURLCORSValidator>()

or if there was support for * as _part of the subdomain itself:

builder.WithOrigins("https://mypredictable-*.herokuapp.com").SetIsOriginAllowedToAllowDynamicSubdomains()

Please let me know if there are available extension points to support dynamic environments like this already, I might have missed it.

[johnkors]

Here's a similar extension in Spring Boot (Java):

https://github.com/looorent/spring-security-jwt/blob/master/src/main/java/be/looorent/security/jwt/RegexCorsConfiguration.java#L49

[johnkors]

Moved this to a feature request as in issue in #27435