Table of Contents
5 stars based on
Browser security prevents a web page from making AJAX requests to another domain. This restriction is called the same-origin policyand prevents a malicious site from reading sensitive data from another site. However, sometimes options handler cors might want to let other sites make cross-origin requests to your web API. Using CORS, a server can explicitly allow some cross-origin requests while rejecting others.
Two URLs have the same origin if they have identical schemes, hosts, and ports. Cors package to your project. Note that the CORS middleware must precede any defined endpoints in your app that you want to support cross-origin requests ex.
There are two ways to do this. The first is to call UseCors with a lambda:. The lambda takes a CorsPolicyBuilder object. You'll find a list of the configuration options later in this topic. In this example, the policy allows cross-origin options handler cors from http: The second approach is to define one or more named CORS policies, and then select the policy by name at run time.
To select the policy, pass options handler cors name to UseCors. Specify the policy name. The precedence order is: Options handler cors policies options handler cors precedence over controller-level policies, and controller-level policies take precedence over global policies.
Set the options handler cors HTTP methods. Set the allowed request headers. Set the exposed response headers. Credentials in cross-origin requests. Set the preflight expiration time. Consider carefully before allowing requests from any origin.
Browsers are not entirely consistent in how they set Access-Control-Request-Headers. By default, the browser doesn't expose all of the response headers to the application. The response headers that are available by default are:. The CORS spec calls these simple response headers. To make other headers available to the application:. Credentials require special handling in a CORS request. By default, the browser doesn't send any credentials with a cross-origin request.
Credentials include cookies as well as HTTP authentication schemes. Now the HTTP response will include an Access-Control-Allow-Credentials header, which tells the browser that the server allows credentials for a cross-origin request.
If the browser sends credentials, but options handler cors response doesn't include a valid Access-Control-Allow-Credentials header, the browser won't expose the response to the application, and the AJAX request fails.
Be careful when allowing cross-origin credentials. A website at another domain can send a logged-in user's credentials to the app on the user's behalf without the user's knowledge. Options handler cors Access-Control-Max-Age header specifies how long the response to the preflight request can be cached. To set this header:. If a browser supports Options handler cors, it sets these headers automatically for cross-origin requests.
Here is an example of a cross-origin request. The Origin header provides the domain of the site that's making the request:. If the server allows the request, it sets the Access-Control-Allow-Origin header in the response.
Specifically, the browser disallows the request. Even if the server returns a successful response, the browser doesn't make the response available to the client application.
For options handler cors CORS requests, the browser sends an additional request, called a "preflight request", before it sends the actual request for the resource. The browser can skip the preflight request if the following conditions are true:.
The CORS specification calls these "author request headers". A list of request headers that options handler cors application set on the actual request. Again, this doesn't include headers that the browser sets. The response includes an Access-Control-Allow-Methods header that lists the allowed methods, and optionally an Access-Control-Allow-Headers header, which lists the allowed headers. If the preflight request succeeds, the browser sends the actual request, as described earlier.
The feedback system for this content will be changing soon. Old comments will not be carried over. If content within a comment thread is important to you, please save a options handler cors. For more information on the upcoming change, we invite you to read our blog post.
What is "same origin"? Note The feedback system for this content will be changing soon.