CORS Whitelist

vveerappan · 13 October 2022 16:33

We have a self-hosted octopus server and we are utilizing the octopus API.

Under Configuration → Web Portal ->CORS whitelisting, we added comma-separated values and ran into CORS errors from the consuming application. However a wildcard works

Working whitelist values : *
Whitelist values that do not work :

*.abcde.com
*.abc.com , *.def.com
https://abc-local.def.com:4800, https://abc.def.com/

Was hoping to get an example of whitelisting specific URI’s and domain-level wildcards.
( We are in version 2022.3.10594 )

britton.riggs · 13 October 2022 17:38

Hi @vveerappan,

Thanks for reaching out, and welcome to the Octopus Deploy community!

In doing some digging on your request, it looks like this behavior is determined by the CORS specification, which allows for the following valid values within the Access-Control-Allow-Origin header:

* (global wildcard)
null
exact protocol + domain + port

So unfortunately you wouldn’t be able to use domain-specific wildcards for this within Octopus Deploy as the valid values are determined by the CORS specification itself, and you would instead either need to use a global wildcard or the specific domain(s)/subdomain(s), protocol(s), and port(s).

Sorry I don’t have better news for you on this, but let me know if you have any additional questions or if I can be of any more help and I would be glad to assist further.

Best regards,

Britton

system · 13 November 2022 17:38

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.