I don't do much client side web programming, so I'm trying to grasp this concept in how it relates to my specific situation.
I have a RESTful WCF service running on a port in the 50000s. Additionally, I have a bunch of web forms (not ASP WebForms) written in HTML5/CSS3/JavaScript that make AJAX calls to this WCF service. The web forms are hosted on the same host, but are using port 80. The AJAX calls made by the web forms are all GET only requests.
Additionally, I have a third-party cloud-hosted application that's in a completely different location (different host), which needs to call the WCF service as well. This communication is performing POSTs & PUTs to the WCF service.
Obviously the calls being made from the third-party hosted cloud application is cross origin. From my research it appears that the different ports are in fact different origins.
I know that security & CORS are different concepts, but here is what I'm trying to accomplish and I need to better understand how all of this works:
Right now I allow all cross-origin requests, and everything is working, but I'd like to limit it down to improve security and then eventually set up HTTPS with transport security with both the webforms & WCF service using the same certificate. The third-party cloud service hosted-app would still need to be able to communicate with the WCF service so I would need to allow it to authenticate differently, so that would be done with a secret-key being passed since everything is server-side only.
This whole communication 'triangle' feels murky to me, and I hope that SO is the right place for me to be posting this question since it isn't directly code related.
- Is the WCF - web forms situation described above considered cross-origin?
- A) If the above is not cross-origin, would I then only need to pass the
Access-Control-Allow-Origin: 'https://my-cloud-host'in my web.config?
B) If it is I understand that just need to echo back the allowed origins(s) in the header. What do I set (if anything) forAccess-Control-Allow-Originin IIS in this case? What do I echo if it's not allowed, just the original origin? - Would my idea to use the same certificate for mutual SSL Authentication work if they are hosted on different ports? Would this prevent the cloud-service from communicating with the WCF service, or would having a second endpoint allow for this?
- Am I losing my mind? I'm so confused by this whole thing.
加载中...{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 The star\" 的问题《Properly Understanding CORS with Same Host / Diffe》','https://www.manongdao.com/q-975687.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}