Configure CORS for SharePoint 2016 (v 1.5)

Owned by Tino Winkler
Last updated: May 09, 2019
6 min read

Prerequisites

The URL Rewrite module has to be installed as described in Install URL Rewrite Module for IIS (v 1.5).

Introduction

The SharePoint Online Connector for Confluence uses JavaScript to communicate with SharePoint. Since Confluence and SharePoint are typically available under different domains, browsers would block all JavaScript based requests which target another domain. However, with the help of Cross-Origin Resource Sharing (CORS) cross-domain communication from Confluence to SharePoint can be allowed.

For CORS to work the IIS has to evaluate certain HTTP request headers and needs to add specific HTTP headers to the response. The necessary configuration is outlined in the following sections.

Add Allowed Server Variables

CORS is enabled by using the URL Rewrite module to evaluate and add the required HTTP headers. The rewrite rules need some additional server variables which can be defined like this:

  • Open IIS Manager.
  • Select the SharePoint web application Confluence should communicate with.
  • Double-click URL Rewrite (see below image):

The URL Rewrite Module opens.

  • On the right side click View Server Variables... (see below image)
  • In the Allowed Server Variables screen use the Add... action to define the following variables:
    • CSI_CAPTURED_ACCESS_CONTROL_REQUEST_HEADERS
    • CSI_CAPTURED_ACCESS_CONTROL_REQUEST_METHOD
    • CSI_CAPTURED_ORIGIN
    • HTTP_ORIGIN


Image: Finished Configuration of Allowed Server Variables (click to enlarge)

Add Rewrite Rules

Modify web.config File

  • In IIS Manager right-click on the Site to which the SharePoint Online Connector web parts will be deployed to.
  • In the opened context menu select Explore.

  • Check the content of the file system directory of your Site and look for a file named web.config (or Web.config). If it exists, continue with the next step. In case it doesn't exist, create a new XML file with your text editor of choice, name it web.config and add the following content: 

    <?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.web>
  </system.web>
  <system.webServer>
  </system.webServer>
</configuration>

Copy Rewrite Rules to web.config

Before modifying the web.config file make a backup copy to restore from in case of error.

  • Open the existing or previously created web.config XML file in your favorite text editor.
  • Look for the system.webServer element. If it doesn't exist, add it as a direct child node to the configuration element as shown in the code snippet in the previous section.

  • Add the following XML code into the system.webServer element. In case the system.webServer element already contains a rewrite section, you only have to copy the rule and preConditions elements from the rules and outboundRules and append them to the existing configuration.

     Click to show XML code...
    <rewrite>
  <rules>
    <clear />
    <rule name="CSI: Capture Origin header" enabled="true">
      <match url="^(?:.+/)?_api/.+" />
      <conditions>
        <add input="{HTTP_ORIGIN}" pattern="<Confluence server name pattern>" />
      </conditions>
      <serverVariables>
        <set name="CSI_CAPTURED_ORIGIN" value="{C:0}" />
      </serverVariables>
      <action type="None" />
    </rule>
    <rule name="CSI: Capture Access-Control-Request-Method header" enabled="true">
      <match url=".*" />
      <conditions>
        <add input="{CSI_CAPTURED_ORIGIN}" pattern=".+" />
        <add input="{HTTP_ACCESS_CONTROL_REQUEST_METHOD}" pattern=".+" />
      </conditions>
      <serverVariables>
        <set name="CSI_CAPTURED_ACCESS_CONTROL_REQUEST_METHOD" value="{C:0}" />
      </serverVariables>
      <action type="None" />
    </rule>
    <rule name="CSI: Capture Access-Control-Request-Headers header" enabled="true">
      <match url=".*" />
      <conditions>
        <add input="{CSI_CAPTURED_ORIGIN}" pattern=".+" />
        <add input="{HTTP_ACCESS_CONTROL_REQUEST_HEADERS}" pattern=".+" />
      </conditions>
      <serverVariables>
        <set name="CSI_CAPTURED_ACCESS_CONTROL_REQUEST_HEADERS" value="{C:0}" />
      </serverVariables>
      <action type="None" />
    </rule>
    <rule name="CSI: Handle OPTIONS request" enabled="true" stopProcessing="true">
      <match url=".*" />
      <conditions>
        <add input="{CSI_CAPTURED_ORIGIN}" pattern=".+" />
        <add input="{REQUEST_METHOD}" pattern="OPTIONS" />
      </conditions>
      <action type="CustomResponse" statusCode="200" statusReason="preflight" statusDescription="preflight" />
    </rule>
    <rule name="CSI: Hide Origin header" enabled="true">
      <match url=".*" />
      <conditions>
        <add input="{CSI_CAPTURED_ORIGIN}" pattern=".+" />
      </conditions>
      <serverVariables>
        <set name="HTTP_ORIGIN" value="" />
      </serverVariables>
      <action type="None" />
    </rule>
  </rules>
  <outboundRules>
    <preConditions>
      <preCondition name="allowedOrigin">
        <add input="{CSI_CAPTURED_ORIGIN}" pattern=".+" />
      </preCondition>
    </preConditions>
    <rule name="CSI: Set Access-Control-Allow-Origin to allowed origin" enabled="true" preCondition="allowedOrigin">
      <match serverVariable="RESPONSE_Access-Control-Allow-Origin" pattern=".*" negate="false" />
      <conditions>
        <add input="{CSI_CAPTURED_ORIGIN}" pattern=".+" />
      </conditions>
      <action type="Rewrite" value="{C:0}" />
    </rule>
    <rule name="CSI: Set Access-Control-Allow-Credentials for allowed origin" enabled="true" preCondition="allowedOrigin">
      <match serverVariable="RESPONSE_Access-Control-Allow-Credentials" pattern="^$" negate="false" />
      <action type="Rewrite" value="true" />
    </rule>
    <rule name="CSI: Set Access-Control-Allow-Methods for allowed origin" enabled="true" preCondition="allowedOrigin">
      <match serverVariable="RESPONSE_Access-Control-Allow-Methods" pattern="^$" negate="false" />
      <conditions>
        <add input="{CSI_CAPTURED_ACCESS_CONTROL_REQUEST_METHOD}" pattern=".+" />
      </conditions>
      <action type="Rewrite" value="{C:0}" />
    </rule>
    <rule name="CSI: Set Access-Control-Allow-Headers for allowed origin" enabled="true" preCondition="allowedOrigin">
      <match serverVariable="RESPONSE_Access-Control-Allow-Headers" pattern="^$" negate="false" />
      <conditions>
        <add input="{CSI_CAPTURED_ACCESS_CONTROL_REQUEST_HEADERS}" pattern=".+" />
      </conditions>
      <action type="Rewrite" value="{C:0}" />
    </rule>
    <rule name="CSI: Set Access-Control-Max-Age to allow caching of preflight" enabled="true" preCondition="allowedOrigin">
      <match serverVariable="RESPONSE_Access-Control-Max-Age" pattern="^$" negate="false" />
      <conditions logicalGrouping="MatchAny">
        <add input="{CSI_CAPTURED_ACCESS_CONTROL_REQUEST_METHOD}" pattern=".+" />
        <add input="{CSI_CAPTURED_ACCESS_CONTROL_REQUEST_HEADERS}" pattern=".+" />
      </conditions>
      <action type="Rewrite" value="86400" />
    </rule>
  </outboundRules>
</rewrite>

Dont' save the file yet and continue with the next section.

Customize Rewrite Rule

For security reasons the rules are designed in a way so that CORS is only activated for requests originating from a specific host. This host should be your Confluence server which still needs to be added to the rules configured in the previous section:

  • Look for the rule named CSI: Capture Origin header.
  • The conditions element of this rule contains the placeholder <Confluence server name pattern> which needs to be replaced with protocol and host name of your Confluence server.
  • Some examples. Let's assume the host name of Confluence is confluence.example.com:
    • In case your Confluence is available via HTTPS, the placeholder needs to be replaced with: https://confluence.example.com
    • If your Confluence is not serving via HTTPS, the placeholder has to be replaced with: http://confluence.example.com
    • To support both HTTP and HTTPS, the placeholder has to be replaced with: http(s)?://confluence.example.com
    • In case your Confluence uses a non-standard port like 8443, it has to be included in the pattern: https://confluence.example.com:8443

Apply Configuration

The following steps will cause an IIS reset. Consider doing this in a maintenance window to not interrupt the users.

  • Save the modified web.config file.
  • In IIS Manager right-click on the Site to which the SharePoint Online Connector web parts will be deployed to.
  • In the opened context menu click Refresh to apply and activate the CORS configuration.

Configuring other SharePoint web applications

The CORS configuration needs to be done for every IIS SharePoint Site that is going to be accessed by the SharePoint Online Connector for Confluence add-on.

Back to Top

All Versions

Page content