I want to implement a custom cors implementation, mainly because i am building a saas and need to be able to validate origins which are dynamic.
If i remove all origins in the azure functions cors tab in then enables all origins eg "*", which i don’t want. Theres no disable option.
I don’t see any options in the apim to remove it.
Any suggestions would be appriciated.
Fixed it you have to remove all the origins and add a "options" as one of the methods
2
Answers
simply remove all the origins, azure function apps adds one by default, then make sure you add the options method in the app function methods params.
It’s not possible to "disable CORS" as CORS is enforced by a browser.
You can potentially allow all origins on the backend. But that effectively "disables" CORS.
So, if the situation is:
You can manage the situation purely with APIM inbound policy without making any changes to your backend.
However, you would need to introduce a separate helper Azure Function with an HTTP trigger that will validate origin for APIM inbound policy.
The proposed solution fully separates backend implementation (your Azure Function) and CORS configuration via APIM.
A backend Azure Function shouldn’t be concerned about CORS as browser sends request to APIM. APIM has a static policy that loads dynamic list of allowed origins from a helper Azure Function.
APIM inbound policy
Sample JavaScript helper Azure Function HTTP trigger that checks if origin is in the list of allowed origins (that list can come from a DB):