Cross-Origin Resource Sharing (CORS) in ASP.NET Core

Cross-Origin Resource Sharing (CORS) deals with sharing of restricted resources requested from outside the domain which made the request. Check out this Wikipedia article for a good over view of the subject.  If you read the post on Aurelia with an ASP.NET Core API then you might recall that cross-origin requests had to be enabled to allow the front end project to communicate with the API project.

When working on the post mentioned above I only spent enough time on the CORS options in ASP.NET Core to get the sample up and running. This post is going to expand on the path I used to get my sample working and explore some of the options ASP.NET Core offers. The official ASP.NET docs were very helpful in this exploration.

Starting point

In the API project the following was added in the Configure function of Startup in to allow any request regardless of headers, method or origin.

app.UseCors(builder =>
    {
        builder.AllowAnyHeader();
        builder.AllowAnyMethod();
        builder.AllowAnyOrigin();
    }
);

Limiting CORS

The above leaves the site wide open for cross-origin requests. Unless you have a need to allow any request it seems like a good idea to limit CORS. Keep in mind I am pretty new to the subject and my sure there are many nuances that will need to play into a live CORS strategy. For example the following limits CORS request to the two domains listed and only allows GET and POST.

app.UseCors(builder =>
    {
        builder.WithOrigins("http://google.com", "http://elanderson.net")
               .WithMethods("GET", "POST")
               .AllowAnyHeader();
    }
);

Note that origins are identified by scheme, host and port all being the same. For example all of the following would be considered different origins.

URLs with different origins
http://google.com
https://google.com
http://www.google.com
https://www.google.com
http://google.com:5000
https://google.com:5000
http://google.com:6000
https://google.com:6000
http://bing.com

Set CORS on a Controller or Action

MVC doesn’t force the whole site to use the same CORS settings. Just like with authorization CORS can be set by Controller or Action. To use this style of CORS ConfigureServices function of the Startup class needs to add CORS as a service and setup one or more policies. The name of the policy will be used with EnableCores attribute to specify where the policy is applied.

In ConfigureServices add app.AddCors which will allow additions of policies and make the available to controllers and actions. The following example adds an “AllowGoogle” CORS policy that allows http://google.com with any header and any method.

services.AddCors(options =>
{
    options.AddPolicy("AllowGoogle",
        builder => builder.WithOrigins("http://google.com")
                          .AllowAnyHeader()
                          .AllowAnyMethod());
});

Then to apply this policy to a controller or an action add the EnableCors attribute. The following example is applying “AllowGoogle” policy to the whole HomeController.

[EnableCors("AllowGoogle")]
public class HomeController : Controller

Now if you want to exempt the Index from the “AllowGoogle” CORS policy use the DisableCors attribute.

[DisableCors]
public IActionResult Index()

Wrapping up

I am sure the CORS subject goes much deeper than what I covered today, but I wanted to share what I have learned so far as it applies to ASP.NET Core. If you have more resources or have something to add please leave a comment.

Cross-Origin Resource Sharing (CORS) in ASP.NET Core Read More »