1

How do I add CORS headers to my MVC6 application? I am interested in Globally and per action.

It seems like ASP.Net vNext/5/Core has undergone some changes so there are different answers to this question for different versions. I'm using RC1.

I have tried this SO "How to enable CORS in ASP.NET Core", but coming to var policy = new Microsoft.AspNet.Cors.Core.CorsPolicy(); the "Core" namespace does not exist.

Tried the answer in "How do you enable cross-origin requests (CORS) in ASP.NET 5 & MVC 6?" but the method/extension methodservices.ConfigureCors does not exist.

The last SO answer is the same as this blog post, which also says to first install Microsoft.AspNet.Cors (Install-Package Microsoft.AspNet.Cors). But doing so makes things worse, then services.AddCors() doesn't exist for some reason.

"Enable cross-origin requests (CORS) in ASP.NET 5 & MVC 6" says to install "Microsoft.AspNet.Cors.Core" which does not exist, and using Microsoft.AspNet.Builder; which doesn't help.

enter image description here

Community
  • 1
  • 1
Tedd Hansen
  • 12,074
  • 14
  • 61
  • 97
  • Try to add `services.AddCors(options => options.AddPolicy("AllowAll", p => p.AllowAnyOrigin().AllowAnyHeader().AllowAnyHeader()));` in `ConfigureServices` method and `app.UseCors("AllowAll");` in `Configure` method of `Startup.cs`. You should add `"Microsoft.AspNet.Cors": "6.0.0-rc1-final"` to `"dependencies"` of `project.json`. See [the documentation](http://docs.asp.net/en/latest/security/cors.html?highlight=cors) – Oleg Jan 25 '16 at 09:29
  • That works. As per the the instructions on the blog post it was installing version 5.2.3 of Microsoft.AspNet.Cors, needed version 6.0.0. – Tedd Hansen Jan 25 '16 at 09:36
  • 2
    It's a large problem which have many developers now. The packages will be renames and the requests to the old names will be not redirected. I posted [the suggestion](https://github.com/aspnet/Home/issues/1222), but it seems that Microsoft don't see the problem serious enough. By the way the package is renames now to [Microsoft.AspNetCore.Cors](https://github.com/aspnet/CORS/tree/dev/src/Microsoft.AspNetCore.Cors). :-) – Oleg Jan 25 '16 at 09:43
  • Quite a moving target this CORS. Thanks Oleg, useful to know. So it will probably change once again in next release then. – Tedd Hansen Jan 26 '16 at 18:35

2 Answers2

3

You need to add the prerelease version:

Install-Package Microsoft.AspNet.Cors -PreRelease

Add the following under ConfigureServices in your Startup.cs:

services.AddCors(options =>
{
    options.AddPolicy("AllowFromAll",
        builder => builder
        .WithMethods("GET", "POST")
        .AllowAnyOrigin()
        .AllowAnyHeader());
});

If you want to add it globally, put this under configure:

app.UseCors("AllowFromAll");

If you want it per controller/action you can decorate them with the following:

[EnableCors("AllowFromAll")]

There's a lot more info in the docs regarding cors, for your reference:
http://docs.asp.net/en/latest/security/cors.html

Marius Agur
  • 272
  • 3
  • 11
0

In ASP.NET Core 1.0 release I had to add the following to ConfigureServices in Startup.cs in order to get global CORS configuration to work globally and without attributes:

services.AddMvc(options =>
{
    options.Filters.Add(new CorsAuthorizationFilterFactory("AllowFromAll")); 
});

services.AddCors(options =>
{
    options.AddPolicy("AllowFromAll", builder => builder
        .WithMethods("GET", "POST")
        .AllowAnyOrigin()
        .AllowAnyHeader());
});
Bjorn Reppen
  • 22,007
  • 9
  • 64
  • 88