How to enable Cross-Origin Requests (CORS) in ASP.NET Core?

Browser security prevents a web page from making requests to a different domain than the one that served the web page. This restriction is called the same-origin policy. The same-origin policy prevents a malicious site from reading sensitive data from another site. Sometimes, you might want to allow other sites to make cross-origin requests to your app. For more information, see the Mozilla CORS article.

Cross Origin Resource Sharing (CORS):

  • Is a W3C standard that allows a server to relax the same-origin policy.
  • Is not a security feature, CORS relaxes security. An API is not safer by allowing CORS. For more information, see How CORS works.
  • Allows a server to explicitly allow some cross-origin requests while rejecting others.
  • Is safer and more flexible than earlier techniques, such as JSONP.

Same origin

Two URLs have the same origin if they have identical schemes, hosts, and ports (RFC 6454).

These two URLs have the same origin:

  • https://example.com/foo.html
  • https://example.com/bar.html

These URLs have different origins than the previous two URLs:

  • https://example.net: Different domain
  • https://www.example.com/foo.html: Different subdomain
  • http://example.com/foo.html: Different scheme
  • https://example.com:9000/foo.html: Different port

Enable CORS

There are three ways to enable CORS:

Using the [EnableCors] attribute with a named policy provides the finest control in limiting endpoints that support CORS.

 Warning

UseCors must be called in the correct order. For more information, see Middleware order. For example, UseCors must be called before UseResponseCaching when using UseResponseCaching.

Each approach is detailed in the following sections.

CORS with named policy and middleware

CORS Middleware handles cross-origin requests. The following code applies a CORS policy to all the app's endpoints with the specified origins:

C#
var  MyAllowSpecificOrigins = "_myAllowSpecificOrigins";

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddCors(options =>
{
    options.AddPolicy(name: MyAllowSpecificOrigins,
                      policy  =>
                      {
                          policy.WithOrigins("http://example.com",
                                              "http://www.contoso.com");
                      });
});

// services.AddResponseCaching();

builder.Services.AddControllers();

var app = builder.Build();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();

app.UseCors(MyAllowSpecificOrigins);

app.UseAuthorization();

app.MapControllers();

app.Run();

Comments

Post a Comment

Popular posts from this blog

ASP.NET Core | Change Token

A  change token  in ASP.NET Core is a general-purpose, low-level building block used to track state changes. Let me break it down for you: IChangeToken Interface : The  IChangeToken  interface propagates notifications that a change has occurred. It resides in the  Microsoft.Extensions.Primitives  namespace and is implicitly provided to ASP.NET Core apps via the  Microsoft.Extensions.Primitives  NuGet package. Key properties: ActiveChangeCallbacks : Indicates whether the token proactively raises callbacks. If set to  false , a callback is never called, and the app must poll  HasChanged  for changes. HasChanged : Receives a value that indicates if a change has occurred. Additionally, it includes the  RegisterChangeCallback(Action<Object>, Object)  method, which registers a callback invoked when the token changes 1 . ChangeToken Class : The  ChangeToken  class is static and used to propagate notifications that...
Read more

ASP.NET Core | Open Web Interface for .NET (OWIN)

Image
ASP.NET Core supports the Open Web Interface for .NET (OWIN). OWIN allows web apps to be decoupled from web servers. It defines a standard way for middleware to be used in a pipeline to handle requests and associated responses. ASP.NET Core applications and middleware can interoperate with OWIN-based applications, servers, and middleware. Running OWIN middleware in the ASP.NET pipeline ASP.NET Core’s OWIN support is deployed as part of the  Microsoft.AspNetCore.Owin  package. You can import OWIN support into your project by adding this package as a dependency in your  project.json  file: "dependencies" : { "Microsoft.AspNetCore.Server.IISIntegration" : "1.0.0" , "Microsoft.AspNetCore.Server.Kestrel" : "1.0.0" , "Microsoft.AspNetCore.Owin" : "1.0.0" }, OWIN middleware conforms to the  OWIN specification , which requires a  Func<IDictionary<string,   object>,   Task>  interface, and...
Read more

How will you improve performance of ASP.NET Core Application?

Cache aggressively Caching is discussed in several parts of this article. For more information, see  Overview of caching in ASP.NET Core . Understand hot code paths In this article, a  hot code path  is defined as a code path that is frequently called and where much of the execution time occurs. Hot code paths typically limit app scale-out and performance and are discussed in several parts of this article. Avoid blocking calls ASP.NET Core apps should be designed to process many requests simultaneously. Asynchronous APIs allow a small pool of threads to handle thousands of concurrent requests by not waiting on blocking calls. Rather than waiting on a long-running synchronous task to complete, the thread can work on another request. A common performance problem in ASP.NET Core apps is blocking calls that could be asynchronous. Many synchronous blocking calls lead to  Thread Pool starvation  and degraded response times. Do not  block asynchronous execution by...
Read more