0

I follow this page to enable cross domain request.
EnableCors on global scope always works.

var cors = new EnableCorsAttribute("*", "*", "*");
config.EnableCors(cors);

However, EnableCors on controller scope will fail the preflight request with request method 'OPTIONS'.

[EnableCors(origins: "*", headers: "*", methods: "*")]

To get it working I need to add a custom delegatehandler shown on this answer, which allows the 'OPTION' method.
I have googled it, but not much details about the difference. Can someone explain to me the difference?

Community
  • 1
  • 1
Jonathon
  • 552
  • 1
  • 9
  • 14

1 Answers1

0

You can apply the EnableCors attribute at the method level, you can also apply it at the class level or globally to the application. The level at which the attribute is applied configures CORS for all requests at that level and below in your Web API code.

For example, if applied at the method level, the policy will only apply to requests for that action, whereas if applied at the class level, the policy will be for all requests to that controller. Finally, if applied globally, the policy will be for all requests

Vicky
  • 2,027
  • 1
  • 19
  • 31
  • Hi Vicky,I understand this logic. My question is why apply CORS on controller level failed the preflight request. But not when apply on the global scope. – Jonathon Sep 22 '16 at 22:57