Reputation: 14899
How to enable CORS in ASP.NET Core
I am trying to enable cross origin resources sharing on my ASP.NET Core Web API, but I am stuck.
The EnableCors attribute accepts policyName of type string as parameter:
// Summary:
// Creates a new instance of the Microsoft.AspNetCore.Cors.Core.EnableCorsAttribute.
//
// Parameters:
// policyName:
// The name of the policy to be applied.
public EnableCorsAttribute(string policyName);
What does the policyName mean and how can I configure CORS on an ASP.NET Core Web API?
Upvotes: 342
Views: 467687
Answers (26)
Reputation: 24439
For recent versions, instead of two separate AddCors and UseCors calls, you can just set the policy in UseCors as it provides an overload for that:
app.UseCors(builder =>
{
builder
.AllowAnyHeader()
.AllowAnyMethod()
.AllowAnyOrigin();
});
No AddCors necessary.
Upvotes: 2
Reputation: 4309
you have three ways to enable CORS:
- In middleware using a named policy or default policy.
- Using endpoint routing.
- With the [EnableCors] attribute.
Enable CORS with named policy:
public class Startup
{
readonly string CorsPolicy = "_corsPolicy";
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy(name: CorsPolicy,
builder =>
{
builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials();
});
});
// services.AddResponseCaching();
services.AddControllers();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseRouting();
app.UseCors(CorsPolicy);
// app.UseResponseCaching();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
UseCors must be called before UseResponseCaching when using UseResponseCaching.
Enable CORS with default policy:
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddDefaultPolicy(
builder =>
{
builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials();
});
});
services.AddControllers();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseRouting();
app.UseCors();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
Enable CORS with endpoint
public class Startup
{
readonly string CorsPolicy = "_corsPolicy ";
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy(name: CorsPolicy,
builder =>
{
builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials();
});
});
services.AddControllers();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseRouting();
app.UseCors();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers()
.RequireCors(CorsPolicy)
});
}
}
Enable CORS with attributes
you have two options
- [EnableCors] specifies the default policy.
- [EnableCors("{Policy String}")] specifies a named policy.
Upvotes: 15
Reputation: 26026
If you are hosting on IIS, one possible reason for encountering this issue is that IIS might be blocking the OPTIONS verb.
One telltale indication is you are getting 404 error during OPTIONS request.
To fix this, you need to explicitly tell IIS not to block OPTIONS request.
Go to Request Filtering:
Make sure OPTIONS is allowed:
Or, just create a web.config with the following setting:
<system.webServer>
<security>
<requestFiltering>
<verbs>
<remove verb="OPTIONS" />
<add verb="OPTIONS" allowed="true" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
Upvotes: 17
Reputation: 38199
Having set anonymousAuthentication: true in a file launchSettings.json, it started working for me:
"iisSettings": {
"windowsAuthentication": true,
"anonymousAuthentication": true,
"iisExpress": {
"applicationUrl": "http://localhost:44300/",
"sslPort": 0
}
}
Upvotes: 0
Reputation: 1
this code is working my asp.net core api project.
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<ModSecurity enabled="false" configFile="C:\inetpub\wwwroot\owasp_crs\modsecurity.conf" />
.
.
.
</system.webServer>
Upvotes: 0
Reputation: 930
Simple solution
DEVELOPMENT MODE ONLY!
if (app.Environment.IsDevelopment())
{
app.UseCors(p => p.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod());
}
Upvotes: 2
Reputation: 111
For Web API(ASP.Net core 6.0) In Program.cs just add before builder.Build();
builder.Services.AddCors(p => p.AddPolicy("corsapp", builder =>
{
builder.WithOrigins("*").AllowAnyMethod().AllowAnyHeader();
}));
also add
app.UseCors("corsapp");
Upvotes: 11
Reputation: 1
For "C# - ASP Net Core Web API (Net Core 3.1 LTS)", it worked for me ...
In Startup.cs file:
Inside "ConfigureServices" function add this code:
services.AddCors(options =>
{
options.AddPolicy("CorsPolicy",
builder => builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader());
});
Note: In case of "CorsPolicy" you can change for what you like or use global variable in "Startup" class.
Inside "Configure" function add this code:
app.UseCors("CorsPolicy");
Check the call order of the functions, it should look like this:
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseCors("CorsPolicy");
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
And finally in your controller class add this code above your functions http:
[EnableCors("CorsPolicy")]
For example:
[EnableCors("CorsPolicy")]
[HttpPost("UserLoginWithGoogle")]
public async Task<ActionResult<Result>> UserLoginWithGoogle([FromBody] TokenUser tokenUser)
{
Result result = await usersGoogleHW.UserLoginWithGoogle(tokenUser.Token);
return new JsonResult(result);
}
Note: "CorsPolicy" must match in the Startup and Controller.
Good luck ...
Upvotes: 0
Reputation: 46621
For ASP.NET Core 6:
var MyAllowSpecificOrigins = "_myAllowSpecificOrigins";
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddCors(options =>
{
options.AddPolicy(name: MyAllowSpecificOrigins,
builder =>
{
builder.WithOrigins("http://example.com",
"http://www.contoso.com");
});
});
// services.AddResponseCaching();
builder.Services.AddControllers();
var app = builder.Build();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseCors(MyAllowSpecificOrigins);
app.UseAuthorization();
app.MapControllers();
app.Run();
See the official docs for more samples.
For ASP.NET Core 3.1 and 5.0:
You have to configure a CORS policy at application startup in the ConfigureServices method:
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(o => o.AddPolicy("MyPolicy", builder =>
{
builder.WithOrigins("http://example.com")
.AllowAnyMethod()
.AllowAnyHeader();
}));
// ...
}
The CorsPolicyBuilder in builder allows you to configure the policy to your needs. You can now use this name to apply the policy to controllers and actions:
[EnableCors("MyPolicy")]
Or apply it to every request:
public void Configure(IApplicationBuilder app)
{
app.UseCors("MyPolicy");
// ...
// This should always be called last to ensure that
// middleware is registered in the correct order.
app.UseMvc();
}
Upvotes: 530
Reputation: 131
For ASP.NET Core Web API 5
In ConfigureServices add services.AddCors(); Before services.AddControllers();
Add UseCors in Configure
app.UseCors(x => x
.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader());
Upvotes: 3
Reputation: 963
pay attantion that "/" in the end - will block the CORS origin
builder.WithOrigins("http://example.com/","http://localhost:55233/");
will block
use
builder.WithOrigins("http://example.com","http://localhost:55233");
Upvotes: 0
Reputation: 7431
This Cover each endpoint . if you want block some endpoint use this annotation [DisableCors]
it well described here.
https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0
Add
app.usecors(policyName)Betweenapp.authentication()andapp.routing()If you are usingapp.usMvc()above it.Inside the Configure Method.Inside the configureService Method
services.AddCors(options => options.AddPolicy(name: mypolicy, builder => { builder.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin(); }));
- In Each controller add
[EnableCors("mypolicy")]
[EnableCors("mypolicy")]
[Route("api/[controller]")] [ApiController]
public class MyController : ControllerBase
eg:-
namespace CompanyApi2
{
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this //method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
options.AddPolicy(name: mypolicy,
builder =>
{
builder.AllowAnyHeader().AllowAnyMethod()
.AllowAnyOrigin();
})); //add this
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.AddScoped<IDatarepository, DatabaseRepository>();
}
public string mypolicy = "mypolicy";
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
}
app.UseCors(mypolicy); //add this
app.UseHttpsRedirection();
app.UseMvc();
}
}
}
Upvotes: 0
Reputation: 11117
Applies to .NET Core 1 and .Net Core 2
If using .Net-Core 1.1
Unfortunately the docs are very confusing in this specific case. So I'll make it dead-simple:
Add
Microsoft.AspNetCore.Corsnuget package to your projectIn
ConfigureServicesmethod, addservices.AddCors();In
Configuremethod, before callingapp.UseMvc()andapp.UseStaticFiles(), add:app.UseCors(builder => builder .AllowAnyOrigin() .AllowAnyMethod() .AllowAnyHeader() .AllowCredentials());
That's it. Every client has access to your ASP.NET Core Website/API.
If using .Net-Core 2.0
Add
Microsoft.AspNetCore.Corsnuget package to your projectin
ConfigureServicesmethod, before callingservices.AddMvc(), add:services.AddCors(options => { options.AddPolicy("AllowAll", builder => { builder .AllowAnyOrigin() .AllowAnyMethod() .AllowAnyHeader() .AllowCredentials(); }); });(Important) In
Configuremethod, before callingapp.UseMvc(), addapp.UseCors("AllowAll");"AllowAll"is the policy name which we need to mention inapp.UseCors. It could be any name.
Upvotes: 148
Reputation: 1699
Got this working with .NET Core 3.1 as follows
- Make sure you place the
UseCorscode betweenapp.UseRouting();andapp.UseAuthentication();
app.UseHttpsRedirection();
app.UseRouting();
app.UseCors("CorsApi");
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints => {
endpoints.MapControllers();
});
- Then place this code in the
ConfigureServicesmethod
services.AddCors(options =>
{
options.AddPolicy("CorsApi",
builder => builder.WithOrigins("http://localhost:4200", "http://mywebsite.com")
.AllowAnyHeader()
.AllowAnyMethod());
});
- And above the base controller I placed this
[EnableCors("CorsApi")]
[Route("api/[controller]")]
[ApiController]
public class BaseController : ControllerBase
Now all my controllers will inherit from the BaseController and will have CORS enabled
Upvotes: 50
Reputation: 149
for .Net CORE 3.1 use:
app.UseCors(x => x.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader())
Upvotes: 0
Reputation: 246
Install nuget package Microsoft.AspNetCore.CORS
In Startup.cs under ConfigureServices method add the following code before services.AddMVC()
services.AddCors(options =>
{
options.AddPolicy("AllowMyOrigin", p =>
{
p.AllowAnyOrigin()
.AllowAnyHeader()
.AllowAnyMethod();
});
});
In Startup.cs inside the Configure method add app.UseCors("AllowMyOrigin"); before you call app.UseMvc()
Note that when sending a request from client side remember to use https instead of http.
Upvotes: -1
Reputation: 5658
Got this working with .Net Core 3.1 as follows:
In ConfigureServices() method:
public void ConfigureServices(IServiceCollection services)
{
...
services.AddCors();
...
}
In Configure() method:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
...
app.UseCors(builder =>
builder.AllowAnyOrigin()
.AllowAnyHeader()
.AllowAnyMethod()
);
...
}
Upvotes: 0
Reputation: 101
Lately when hosting the web app server on azure web app, had to edit azure app cors settings to resolve the matter (code only did not solve the issue)
- Less secured - Enable Access-Control-Allow-Credentials -leave it blank and add * as an allowed origin
- Mark Enable Access-Control-Allow-Credentials and then add the domains you want to allow the requests from
Upvotes: 0
Reputation: 3646
Some troubleshooting tips, after I managed to waste two hours on the most trivial CORS issue:
If you see
CORS policy execution failedlogged... Don't assume that your CORS policy is not executing properly. In fact, the CORS middleware works, and your policy is executing properly. The only thing this badly worded message means is that the request's origin doesn't match any of the allowed origins (see source), i.e. the request is disallowed.The origin check (as of ASP.NET Core 5.0) happens in a very simple way... i.e. case-sensitive ordinal string comparison (see source) between the strings you provided via
WithOrigins()and what exists inHttpContext.Request.Headers[Origin].CORS can fail if you set an allowed origin with a trailing slash
/, or if it contains uppercase letters. (In my case I did in fact accidentally copy the host with a trailing slash.)
Upvotes: 0
Reputation: 1839
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("AllowAnyOrigin",
builder => builder
.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader());
});
services.Configure<MvcOptions>(options => {
options.Filters.Add(new CorsAuthorizationFilterFactory("AllowAnyOrigin"));
});
}
Upvotes: 7
Reputation: 138
In case you get the error "No 'Access-Control-Allow-Origin' header is present on the requested resource." Specifically for PUT and DELETE requests, you could try to disable WebDAV on IIS.
Apparently, the WebDAVModule is enabled by default and is disabling PUT and DELETE requests by default.
To disable the WebDAVModule, add this to your web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="false">
<remove name="WebDAVModule" />
</modules>
</system.webServer>
Upvotes: 2
Reputation: 1157
Step 1: We need Microsoft.AspNetCore.Cors package in our project. For installing go to Tools -> NuGet Package Manager -> Manage NuGet Packages for Solution. Search for Microsoft.AspNetCore.Cors and install the package.
Step 2: We need to inject CORS into the container so that it can be used by the application. In Startup.cs class, let’s go to the ConfigureServices method and register CORS.
So, in our server app, let’s go to Controllers -> HomeController.cs and add the EnableCors decorator to the Index method (Or your specific controller and action):
For More Detail Click Here
Upvotes: -1
Reputation: 53
All the workaround mentioned above may work or may not work, in most cases it will not work. I have given the solution here
Currently I am working on Angular and Web API(.net Core) and came across CORS issue explained below
The solution provided above will always work. With 'OPTIONS' request it is really necessary to enable 'Anonymous Authentication'. With the solution mentioned here you don't have to do all the steps mentioned above, like IIS settings.
Anyways someone marked my above post as duplicate with this post, but I can see that this post is only to enable CORS in ASP.net Core, but my post is related to, Enabling and implementing CORS in ASP.net Core and Angular.
Upvotes: 1
Reputation: 4510
Specifically in dotnet core 2.2 with SignalR you must change
.WithOrigins("http://localhost:3000") or
.SetIsOriginAllowed(isOriginAllowed: _ => true) //for all origins
instead .AllowAnyOrigin() with .AllowCredentials()
https://trailheadtechnology.com/breaking-change-in-aspnetcore-2-2-for-signalr-and-cors/
https://github.com/aspnet/AspNetCore/issues/4483
Upvotes: 17
Reputation: 2873
You have to configure in Startup.cs class
services.AddCors(options =>
{
options.AddPolicy("CorsPolicy",
builder => builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials());
});
Upvotes: 12
Reputation: 14899
Based on Henk's answer I have been able to come up with the specific domain, the method I want to allow and also the header I want to enable CORS for:
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
options.AddPolicy("AllowSpecific", p => p.WithOrigins("http://localhost:1233")
.WithMethods("GET")
.WithHeaders("name")));
services.AddMvc();
}
usage:
[EnableCors("AllowSpecific")]
Upvotes: 51
Related Questions
- How to enable CORS in ASP.net Core WebAPI
- How to enable cors in ASP.NET Core 6.0 Web API project?
- How to enable CORS in Asp.Net Core 3.0 WebAPI
- How to enable Cors for every type of request in asp.net core 3.1
- CORS in .NET Core
- Enabling CORS in ASP.NET Core 6
- Allow Cors Origin in ASP.NET Core
- ASP.NET Core API Enabling Cors not working
- How to get rid of CORS in .net core 2.2?
- How can I use CORS for ASP.Net Core