umbraco · elit0451 · Nov 21, 2023 · Nov 21, 2023 · Nov 21, 2023
diff --git a/src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeCorsPolicyBuilderExtensions.cs b/src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeCorsPolicyBuilderExtensions.cs
@@ -0,0 +1,53 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Umbraco.Cms.Core;
+using Umbraco.Cms.Core.DependencyInjection;
+using Umbraco.Cms.Core.Models.Configuration;
+using Umbraco.Cms.Web.Common.ApplicationBuilder;
+
+namespace Umbraco.Cms.Api.Management.DependencyInjection;
+
+internal static class BackOfficeCorsPolicyBuilderExtensions
+{
+    internal static IUmbracoBuilder AddCorsPolicy(this IUmbracoBuilder builder)
+    {
+        // FIXME: Get the correct settings once NewBackOfficeSettings is merged with relevant existing settings from Core
+        Uri? backOfficeHost = builder.Config
+            .GetSection($"{Constants.Configuration.ConfigPrefix}NewBackOffice")
+            .Get<NewBackOfficeSettings>()?.BackOfficeHost;
+
+        if (backOfficeHost is null)
+        {
+            return builder;
+        }
+
+        const string policyName = "AllowCustomBackOfficeOrigin";
+
+        // The specified URL must not contain a trailing slash (/)
+        var customOrigin = backOfficeHost.ToString().TrimEnd(Constants.CharArrays.ForwardSlash);
+
+        builder.Services.AddCors(options =>
+        {
+            options.AddPolicy(name: policyName,
+                policy =>
+                {
+                    policy
+                        .WithOrigins(customOrigin)
+                        .AllowAnyHeader()
+                        .AllowAnyMethod()
+                        .AllowCredentials();
+                });
+        });
+
+        builder.Services.Configure<UmbracoPipelineOptions>(options =>
+        {
+            options.AddFilter(new UmbracoPipelineFilter("UmbracoManagementApiCustomHostCorsPolicy")
+            {
+                PostRouting = app => app.UseCors(policyName)
+            });
+        });
+
+        return builder;
+    }
+}
diff --git a/src/Umbraco.Cms.Api.Management/ManagementApiComposer.cs b/src/Umbraco.Cms.Api.Management/ManagementApiComposer.cs
@@ -52,6 +52,7 @@ public void Compose(IUmbracoBuilder builder)
             .AddScripts()
             .AddPartialViews()
             .AddStylesheets()
+            .AddCorsPolicy()
             .AddBackOfficeAuthentication();
 
         services