(CORS C# ASP.NET Core) Enabling CORS with a Policy

An ASPNET Core application can permit cross-origin requests by adding "Access-Control-Allow-Origin" header to the HTTP response. Cross-origin requests are not allowed by default; they must be allowed explicitly. One way of doing it is by defining a suitable policy in the application pipeline. In this tutorial, we learn the steps required for this. We shall also learn how to define multiple policies so that each end-point can serve requests to its own set of origins.
(Rev. 30-Sep-2022)

Categories | About |     |  

Parveen,

The Plan of this Tutorial

We shall define three policies. The first will be a default policy that will permit requests to all origins and all schemes; the second would be a named policy that will allow requests to two origins only, and the third too would be a named policy permitting requests to just one origin.

After that we shall apply these policies to three web API end-points. Each end-point would thus open itself to a different set of origins.

Finally, we shall test each of these end-points with curl.

Video Explanation (see it happen!)

Please watch the following youtube video:

The ASPNET Core Project

We have already created an ASPNET Core project. It can be obtained from the downloads attached to this tutorial.

Open the solution explorer and locate the program.cs file. Double-click and open it!

Let's study the code line by line.

The first three lines are the usual boilerplates.

After that, we have added a cross-origin resource sharing [CORS] service to the services collection.


using Microsoft.AspNetCore.Cors;

var builder = WebApplication.CreateBuilder();

builder.Services.AddRazorPages();

// add service for cors 
builder.Services.AddCors(options =>
{

  // default policy 
  options.AddDefaultPolicy(
          policy =>
          {
            policy.AllowAnyOrigin();
          });

  // named policy 
  options.AddPolicy("PolicyA",
          policy =>
          {
            policy.WithOrigins(
                  "https://hoven.in", 
                  "https://google.com"
                  );
          });

  // named policy 
  options.AddPolicy("PolicyB",
          policy =>
          {
            policy.WithOrigins(
                  "https://localhost:7975"
                  );
          });
});

var app = builder.Build();

app.UseCors();

app.MapRazorPages();

// default policy 
app.MapGet("/check", [EnableCors]() => "hello api check");

// policy PolicyA, hoven.in and google.com 
app.MapGet("/check2", [EnableCors("PolicyA")]() => "hello api check2");

// policy PolicyB, localhost:7975 
app.MapGet("/check3", [EnableCors("PolicyB")] () => "hello api check3");

app.Run();


  

First, we add a default policy. The function AllowAnyOrigin enables cross-origin requests from every origin. We have done this for the sake of a tutorial and to teach the availability of such a function.

Then we add a named policy to allow requests from two origins only.

Thirdly, we have added another named policy to allow requests from just one origin.

The next step is to add the cross-origin CORS middleware with the UseCors extension method.

The handler for the GET request to the /check endpoint has the [EnableCors] attribute. Since no policy has been specified, the default policy applies. So cross-site requests are allowed from all origins.

PolicyA applies to the /check2 endpoint, which restricts cross-origin requests to two websites.

Lastly, PolicyB on the /check3 endpoint restricts cross-origin requests to only one origin.

Run the Project and Verify

Run the project and allow the home page to open.

Next open the command prompt and type the following curl command -


// refer previous tutorial for a primer 
// on the usage of curl 

curl -i https://localhost:7276/check -H "origin:https://microsoft.com"

This command sends a GET request to the /check endpoint from a third-party website. But since the default policy applies, and since it allows requests from all origins, we expect to receive the Access-Control-Allow-Origin header in the response.


HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Date: Tue, 16 Aug 20...
Server: Kestrel
Access-Control-Allow-Origin: *
Transfer-Encoding: chunked

Hit the enter key. We verify that the header is indeed present in the response. Therefore, the cross-origin request will succeed!

Again open the command prompt and type the following curl command -


// refer previous tutorial for a primer 
// on the usage of curl 

curl -i https://localhost:7276/check2 -H "origin:https://hoven.in"

This command sends a GET request to the /check2 endpoint from a third-party website. But since Policy A applies, and since it allows requests from hoven.in, we expect to receive the Access-Control-Allow-Origin header in the response.


HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Date: Tue, 16 Aug 20...
Server: Kestrel
Access-Control-Allow-Origin: https://hoven.in
Transfer-Encoding: chunked

Hit the enter key. We verify that the header is indeed present with a value equal to the name of the permitted website. Therefore, the cross-origin request will succeed!

Again open the command prompt and type the following curl command -


// refer previous tutorial for a primer 
// on the usage of curl 

curl -i https://localhost:7276/check3 -H "origin:https://hoven.in"

This command sends a GET request to the /check3 endpoint from a third-party website. But since Policy B applies, and since it doesn't allow requests from hoven.in, we expect that the Access-Control-Allow-Origin header to be absent.


HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Date: Tue, 16 Aug 20...
Server: Kestrel
Transfer-Encoding: chunked

Hit the enter key. We verify that the header is indeed absent. Therefore, the cross-origin request will fail.

We have seen how to apply policy-based restrictions and permissions for cross-origin requests. Thanks!


This Blog Post/Article "(CORS C# ASP.NET Core) Enabling CORS with a Policy" by Parveen is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.