How do you enable cross-origin requests (CORS) in ASP.NET Core MVC

Question

I'd like to enable CORS on an API built with ASP.NET Core MVC, but all the current documents refer to earlier versions of that framework.

How about this? http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api — lcryder, Mar 17 '15 at 14:08
As documented in the "new" docs here: http://docs.asp.net/en/latest/security/cors.html and http://mvc.readthedocs.org/en/latest/security/cors-policy.html — Daniel, Jun 26 '15 at 20:35

score 29 · Accepted Answer · edited Aug 03 '16 at 08:25

The notes on the new Cors features are very light, but I was able to get it working in my solution by looking at the new classes and methods. My Web API startup.cs looks like this. You can see how you can construct your origins and policies her by using the new CorsPolicy class. And enabling CORS with the AddCors and UseCors methods.

 public void ConfigureServices(IServiceCollection services)
 {
     services.AddMvc();
     //Add Cors support to the service
     services.AddCors();

     var policy = new Microsoft.AspNet.Cors.Core.CorsPolicy();

     policy.Headers.Add("*");    
     policy.Methods.Add("*");          
     policy.Origins.Add("*");
     policy.SupportsCredentials = true;

     services.ConfigureCors(x=>x.AddPolicy("mypolicy", policy));

 }


 public void Configure(IApplicationBuilder app, IHostingEnvironment  env)
 {
     // Configure the HTTP request pipeline.

     app.UseStaticFiles();
     //Use the new policy globally
     app.UseCors("mypolicy");
     // Add MVC to the request pipeline.
     app.UseMvc();
 }

You can also reference the policy in the controllers with the new attributes like so

[EnableCors("mypolicy")]
[Route("api/[controller]")]

Just a note, I had to add `Microsoft.AspNet.Cors` to my project.json for this to work, more specifically the `app.UseCors("mypolicy");` line reported an error untill that package was added. In my case I used version `1.0.0-beta6` (instead of the final `5.2.3` version also available.). Also, it is important to add `using Microsoft.AspNet.Builder;` to `Startup.cs` if it's not already there. — Gertsen, Aug 06 '15 at 09:23
Just a note for people... it didn't work for me until I realized I had to put the UseCors before the UseMvc line. — Michael, Aug 01 '16 at 14:54

Henk Mollema · Answer 2 · 2016-02-09T20:09:12.510

I got it working using the following code:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();
    services.AddCors(options => options.AddPolicy("AllowAll", p => p.AllowAnyOrigin()));
}

You can chain AllowAnyHeader() and/or AllowAnyMethod() to the configure action if needed.

To configure it for the complete app:

public void Configure(IApplicationBuilder app)
{
    app.UseCors("AllowAll");
}

Or just for a controller:

[EnableCors("AllowAll")]
public class HomeController : Controller
{
   // ...
}

--

Update: configuring CORS for all requests can be done a bit easier:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();
    services.AddCors();
}

public void Configure(IApplicationBuilder app)
{
    app.UseCors(builder =>
    {
        builder.WithOrigins("http://some.origin.com")
               .WithMethods("GET", "POST")
               .AllowAnyHeader();
    });
}

For more information, refer to the docs.

score 8 · Answer 3 · answered Jun 01 '16 at 17:42

In the most recent RC2 of ASP.NET Core.

The NuGet packages are

"Microsoft.AspNetCore.Owin": "1.0.0-rc2-final",
"Microsoft.AspNetCore.Cors": "1.0.0-rc2-final",

In Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    // Add framework services.
    services.AddCors();
    services.AddMvc();
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    loggerFactory.AddConsole(Configuration.GetSection("Logging"));
    loggerFactory.AddDebug();

    app.UseCors(builder =>  builder
    .AllowAnyOrigin());
    app.UseMvc();
}

If a browser uses a pre-flight request (https://docs.asp.net/en/latest/security/cors.html#preflight-requests) you need also to set allowed headers and methods: `app.UseCors(_ => _.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod())` — Andriy Tolstoy, Aug 03 '16 at 09:57

Kiran · Answer 4 · 2015-03-29T15:01:04.910

3

Support for CORS is currently in development. Following issue is tracking that: https://github.com/aspnet/Mvc/issues/498

Update (3/28/2015):
This feature has been checked in and should be available in the next release.

edited Mar 29 '15 at 15:01

answered Mar 17 '15 at 14:28

Kiran

56,921
15
176
161

score 3 · Answer 5 · answered Feb 09 '16 at 12:11

3

cs1929 the method services.ConfigureCors(...) does no more exist. It is combined to AddCors:

services.AddCors(options => 
    options.AddPolicy("AllowAllOrigins", builder => builder.AllowAnyOrigin()));

answered Feb 09 '16 at 12:11

Otabek Kholikov

1,188
11
19

score 1 · Answer 6 · answered Nov 27 '16 at 22:13

1

Install : Microsoft.AspNetCore.Cors

In Configure method:

        app.UseCors(builder =>
                builder.WithOrigins("http://some.origin.com"));

answered Nov 27 '16 at 22:13

Oleg

1,467
4
26
39

How do you enable cross-origin requests (CORS) in ASP.NET Core MVC

6 Answers6

Linked