The Plan of this Tutorial
We shall define three policies. The first will be a default policy that will permit requests to all origins and all schemes; the second would be a named policy that will allow requests to two origins only, and the third too would be a named policy permitting requests to just one origin.
After that we shall apply these policies to three web API end-points. Each end-point would thus open itself to a different set of origins.
Finally, we shall test each of these end-points with curl.
Video Explanation (see it happen!)
Please watch the following youtube video:
The ASPNET Core Project
We have already created an ASPNET Core project. It can be obtained from the downloads attached to this tutorial.
Open the solution explorer and locate the program.cs file. Double-click and open it!
Let's study the code line by line.
The first three lines are the usual boilerplates.
After that, we have added a cross-origin resource sharing [CORS] service to the services collection.
using Microsoft.AspNetCore.Cors; var builder = WebApplication.CreateBuilder(); builder.Services.AddRazorPages(); // add service for cors builder.Services.AddCors(options => { // default policy options.AddDefaultPolicy( policy => { policy.AllowAnyOrigin(); }); // named policy options.AddPolicy("PolicyA", policy => { policy.WithOrigins( "https://hoven.in", "https://google.com" ); }); // named policy options.AddPolicy("PolicyB", policy => { policy.WithOrigins( "https://localhost:7975" ); }); }); var app = builder.Build(); app.UseCors(); app.MapRazorPages(); // default policy app.MapGet("/check", [EnableCors]() => "hello api check"); // policy PolicyA, hoven.in and google.com app.MapGet("/check2", [EnableCors("PolicyA")]() => "hello api check2"); // policy PolicyB, localhost:7975 app.MapGet("/check3", [EnableCors("PolicyB")] () => "hello api check3"); app.Run();
First, we add a default policy. The function AllowAnyOrigin enables cross-origin requests from every origin. We have done this for the sake of a tutorial and to teach the availability of such a function.
Then we add a named policy to allow requests from two origins only.
Thirdly, we have added another named policy to allow requests from just one origin.
The next step is to add the cross-origin CORS middleware with the UseCors extension method.
The handler for the GET request to the /check endpoint has the [EnableCors] attribute. Since no policy has been specified, the default policy applies. So cross-site requests are allowed from all origins.
PolicyA applies to the /check2 endpoint, which restricts cross-origin requests to two websites.
Lastly, PolicyB on the /check3 endpoint restricts cross-origin requests to only one origin.
Run the Project and Verify
Run the project and allow the home page to open.
Next open the command prompt and type the following curl command -
// refer previous tutorial for a primer // on the usage of curl curl -i https://localhost:7276/check -H "origin:https://microsoft.com"
This command sends a GET request to the /check endpoint from a third-party website. But since the default policy applies, and since it allows requests from all origins, we expect to receive the Access-Control-Allow-Origin header in the response.
HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Date: Tue, 16 Aug 20... Server: Kestrel Access-Control-Allow-Origin: * Transfer-Encoding: chunked
Hit the enter key. We verify that the header is indeed present in the response. Therefore, the cross-origin request will succeed!
Again open the command prompt and type the following curl command -
// refer previous tutorial for a primer // on the usage of curl curl -i https://localhost:7276/check2 -H "origin:https://hoven.in"
This command sends a GET request to the /check2 endpoint from a third-party website. But since Policy A applies, and since it allows requests from hoven.in, we expect to receive the Access-Control-Allow-Origin header in the response.
HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Date: Tue, 16 Aug 20... Server: Kestrel Access-Control-Allow-Origin: https://hoven.in Transfer-Encoding: chunked
Hit the enter key. We verify that the header is indeed present with a value equal to the name of the permitted website. Therefore, the cross-origin request will succeed!
Again open the command prompt and type the following curl command -
// refer previous tutorial for a primer // on the usage of curl curl -i https://localhost:7276/check3 -H "origin:https://hoven.in"
This command sends a GET request to the /check3 endpoint from a third-party website. But since Policy B applies, and since it doesn't allow requests from hoven.in, we expect that the Access-Control-Allow-Origin header to be absent.
HTTP/1.1 200 OK Content-Type: text/plain; charset=utf-8 Date: Tue, 16 Aug 20... Server: Kestrel Transfer-Encoding: chunked
Hit the enter key. We verify that the header is indeed absent. Therefore, the cross-origin request will fail.
We have seen how to apply policy-based restrictions and permissions for cross-origin requests. Thanks!
This Blog Post/Article "(CORS C# ASP.NET Core) Enabling CORS with a Policy" by Parveen is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.