Access restriction not working after enabling CORS

Question

There are two MVC projects in the same solution - a web app and the web api. The URLS are https://localhost:44323/ & http://localhost:59171/ respectively.
I'm testing the CORS functionality.

WebApiConfig.cs

public static void Register(HttpConfiguration config)
        {
            EnableCorsAttribute cors = new EnableCorsAttribute("https://myapp.stg.org:8700, https://myapp.prd.org:9700", "*", "*");
            config.EnableCors(cors);

            config.MapHttpAttributeRoutes();

            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{action}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );
        }

That is the only change I have made.
When I browse the website from local system, I'm expecting that it should throw an error or not open the site, as the local URLs are not specified in the allowed origins. But the site still loads fine and gets data from the API.

Is there any other configuration to be made.

@Aarif thats to allow all headers. https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api — sukesh, Mar 22 '19 at 13:08

Access restriction not working after enabling CORS

0 Answers0