Enabling multiple CORS for Web API

Question

I have a Web API I wrote and one application utilizing it. SO I added CORS header for that applicaiton by adding a header to the controller class within my API:

[EnableCors(origins: "http://localhost:59452", headers: "*", methods: "*")]

The above worked fine. Now I also want more applications consuming that web API. My question is how do I make this happen?

score 34 · Accepted Answer · answered Feb 02 '16 at 15:28

34

You can add multiple origins by separating them with commas:

[EnableCors(origins: "http://localhost:59452,http://localhost:25495,http://localhost:8080", headers: "*", methods: "*")]

answered Feb 02 '16 at 15:28

Sean Bright

118,630
17
138
146

2

Is this the current method? I see other questions/answer where the users had to create lots of code to achieve it. – Si8 Jan 20 '17 at 17:29
@Sean Bright can I use origins:"*" to allow any domain? – TAHA SULTAN TEMURI Nov 04 '17 at 06:12
2

Chrome and others block this, throwing an error about multiple values and only one is allowed. – Connie DeCinko Jun 19 '19 at 16:14

score 28 · Answer 2 · edited Oct 20 '16 at 17:19

Sean's answer is good enough for simple scenarios but please note that an attribute argument must be a constant expression, so you can't say [EnableCors(origins:GetAllowedOrigins()... If a client changes their origin or you need to add a new one you will need to make code changes and re-deploy site to the server.

As an alternative you can enable CORS in the WebApiConfig.cs Register() method.This enables CORS globally but allows you to dynamically set the allowed origins.This allows you to maintain a list of allowed origins in a database for example and can be updated as needed.You would still need to restart the web application after any changes but no code changes will be necessary:

public static class WebApiConfig
{
    private static string GetAllowedOrigins()
    {
        //Make a call to the database to get allowed origins and convert to a comma separated string
        return "http://www.example.com,http://localhost:59452,http://localhost:25495";
    }

    public static void Register(HttpConfiguration config)
    {
        string origins = GetAllowedOrigins();
        var cors = new EnableCorsAttribute(origins, "*", "*");
        config.EnableCors(cors);

        config.MapHttpAttributeRoutes();

        config.Routes.MapHttpRoute(
            name: "DefaultApi",
            routeTemplate: "api/{controller}/{id}",
            defaults: new { id = RouteParameter.Optional }
        );
    }
}

is there a way to dynamically use the AllowedOrigins list for a specific action not globally enabled??? — Nerdroid, Jul 19 '17 at 01:44
@Moes you can create a custom attribute that implements ICorsPolicyProvider and source the origins from config, database, etc. - any source you want. — ramseyjacob, Mar 26 '18 at 17:10
Does this get around the issue of Chrome throwing a fit over multiple origins in the list when only one is allowed? — Connie DeCinko, Jun 19 '19 at 16:19

Tracy · Answer 3 · 2018-04-21T00:16:04.873

2

I suspect it depends on the requester. According to this MS article, only one origin is allowed. The comma delimited string approach suggested above appears to work in test-cors, but not in an SPFx web part.

Also the wildcard (*) origin does not work in cases where cookie/credentials are included (at least in SPFx).

edited Apr 21 '18 at 00:16

answered Apr 21 '18 at 00:09

Tracy

680
7
16

Enabling multiple CORS for Web API

3 Answers3

Linked