Consolidate origins + remove AntiForgery

Author: mythz

MyApp/Configure.AppHost.cs

@@ -25,17 +25,9 @@ public override void Configure(Container container)
             IgnorePathInfoPrefixes = { "/appsettings", "/_framework" },
         });
 
-        string[] allowedOrigins = [
-            "https://localhost:5001",
-            "https://localhost:5002",
-            "https://docs.servicestack.net",
-            "https://servicestack.net",
-            "https://*.servicestack.net",
-        ];
-
         PreRequestFilters.Add((req,res) => {
             var origin = req.Headers.Get(HttpHeaders.Origin);
-            if (origin != null && allowedOrigins.Any(o => origin.StartsWith(o)))
+            if (origin != null && ConfigureCors.Origins.Any(o => origin.StartsWith(o)))
             {
                 res.AddHeader("X-Frame-Options", $"ALLOW-FROM {origin}");
                 res.AddHeader("Content-Security-Policy", $"frame-ancestors {origin}");

MyApp/Configure.Cors.cs

@@ -4,19 +4,20 @@ namespace MyApp;
 
 public class ConfigureCors : IHostingStartup
 {
+    public static string[] Origins = [
+        "http://localhost:5000", "https://localhost:5001", "https://localhost:5002", "http://localhost:8080",
+        "https://localhost:5173", "http://localhost:5173",
+        "https://docs.servicestack.net","https://servicestack.net","https://account.servicestack.net",
+        "https://razor-ssg.web-templates.io", "https://razor-press.web-templates.io",
+        "https://press-vue.servicestack.net", "https://press-react.servicestack.net",
+        "https://vue-spa.web-templates.io", "https://react-spa.web-templates.io",
+    ];
     public void Configure(IWebHostBuilder builder) => builder
         .ConfigureServices(services =>
         {
             services.AddCors(options => {
                 options.AddDefaultPolicy(policy => {
-                    policy.WithOrigins([
-                        "http://localhost:5000", "https://localhost:5001", "https://localhost:5002", "http://localhost:8080",
-                        "https://localhost:5173", "http://localhost:5173",
-                        "https://docs.servicestack.net","https://servicestack.net","https://account.servicestack.net",
-                        "https://razor-ssg.web-templates.io", "https://razor-press.web-templates.io",
-                        "https://press-vue.servicestack.net", "https://press-react.servicestack.net",
-                        "https://vue-spa.web-templates.io", "https://react-spa.web-templates.io",
-                    ])
+                    policy.WithOrigins(Origins)
                     .AllowCredentials()
                     .WithHeaders(["Content-Type", "Allow", "Authorization"])
                     .SetPreflightMaxAge(TimeSpan.FromHours(1));

MyApp/Program.cs

@@ -92,7 +92,7 @@
 app.UseHttpsRedirection();
 
 app.UseStaticFiles();
-app.UseAntiforgery();
+//app.UseAntiforgery(); remove X-Frame-Options header
 
 app.MapRazorComponents<App>()
     .AddInteractiveServerRenderMode()