I am working on a WebAPI project (my first) and am using EnableCors to limit where my api calls can come from. Just for testing, I did not include "http://localhost" as an allowable url.
In Chrome, I get an error stating localhost isn't allowed access (the expected result) and Microsoft Edge functions normally (no error, unexpected result). Is this an "undocumented feature" of Edge? Or am I doing something wrong that's causing it not to work with Edge?
Thanks!
This is the expected behavior for Microsoft Edge and Microsoft Internet Explorer: they do not include the port number when evaluating the Same origin policy, so http://localhost:8080 and (e.g.) http://localhost:8081 are the same origin for them.
This is why Edge do not complains about not finding the Access-Control-Allow-Origin header in the response (for it it's not even a cross-origin request).
Reference:
Internet Explorer 11 does not add the Origin header on a CORS request?
