In Global.asax.cs file, I have the code that allows cross domain access.
protected void Application_BeginRequest(object sender, EventArgs e)
{
HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
HttpContext.Current.Response.Cache.SetNoStore();
if( // The requesting URL == "http://theproperdomain.com"){
EnableCrossDmainAjaxCall();
}
}
private void EnableCrossDmainAjaxCall()
{
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");
if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
{
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "GET, POST");
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept");
HttpContext.Current.Response.AddHeader("Access-Control-Max-Age", "1728000");
HttpContext.Current.Response.End();
}
}
But before my rest project allows cross domain access, it must check first if the requesting domain is equal to the proper domain. i.e.: “http://theproperdomain.com”
I have this code:
string properdomain = HttpContext.Current.Request.Url.AbsoluteUri;
But I’m not sure if it is the best to use.
Please suggest your better idea.
Edit
My domain server is http://theproperdomain.com where my rest services resides.
I’ll be fetching this domain name from my webconfig and compare to the current accessing client. I need to do this because I want to allow only one domain for “cross domain access”.
You can use the Host header of HTTP/1.1 to identify the domain to which the current request is sent to. As per the spec if the request is missing this information you could return 400 Bad Request
To access the header you can use
HttpContext.Current.Request.Headers["HOST"]But, if you would like to know from which application the request is being made, then you need to maintain an application secret which is unique for the every application and that needs to be authorized. This is safe as long as the application secret remains safe. Avoid using referrer header as it is an optional field.