locked
Regarding enabling CORS in web api project RRS feed

  • Question

  • User264732274 posted

    i was just looking at this article https://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api to know how we can enable CORS for web api.

    the article show how to enable cors. here is code

    public static class WebApiConfig
        {
            public static void Register(HttpConfiguration config)
            {
                // New code
                config.EnableCors();
    
                config.Routes.MapHttpRoute(
                    name: "DefaultApi",
                    routeTemplate: "api/{controller}/{id}",
                    defaults: new { id = RouteParameter.Optional }
                );
            }
        }

    1) my question is config.EnableCors(); is not capable to enable CORS because article show we need to decorate controller or action

    enable cors for single controller.

    [EnableCors(origins: "http://www.example.com", headers: "*", methods: "*")]
    public class ItemsController : ApiController
    {
        public HttpResponseMessage GetAll() { ... }
        public HttpResponseMessage GetItem(int id) { ... }
        public HttpResponseMessage Post() { ... }
    
        [DisableCors]
        public HttpResponseMessage PutItem(int id) { ... }
    }

    Enable cors for single action.

    public class ItemsController : ApiController
    {
        public HttpResponseMessage GetAll() { ... }
    
        [EnableCors(origins: "http://www.example.com", headers: "*", methods: "*")]
        public HttpResponseMessage GetItem(int id) { ... }
    
        public HttpResponseMessage Post() { ... }
        public HttpResponseMessage PutItem(int id) { ... }
    }

    guide me about this syntax

     [EnableCors(origins: "http://www.example.com", headers: "*", methods: "*")]

    origins: url : do i need to provide here any valid url or any url ?

    what is the meaning of headers: "*", methods: "*"

    thanks

    Wednesday, November 30, 2016 1:56 PM

Answers

  • User-1672470423 posted

    Origins: You need to specify the valid URL's that are actually accessing the API's. Usually web client URL's accessing the WebAPI's. So that they are allowed cross domain request. You can set more than one origins value separated by commas & * means to allow all.

    Headers: The Request header parameter specifies which Request headers are allowed. To allow any header set value to *. This could be your custom header, Accept, Accept-Language, Content-Language, Content-Type, or Last-Event-ID

    Methods: The methods parameter specifies which HTTP methods (GET/POST/PUT) are allowed to access the resource. To allow all methods, use the wildcard value “*”. Otherwise set comma separated method name to allow set of methods to access the resources.

    You can also check the link below for detailed explanation:

    https://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, November 30, 2016 2:55 PM
  • User-2057865890 posted

    Hi Sudip_inn,

    For example, the request is a cross-origin request from http://localhost:xxxx to http://localhost, gives the domain of the site that is making the request.

    [EnableCors(origins: "http://localhost:xxxx", headers: "*", methods: "*")]

    Best Regards,

    Chris

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, December 1, 2016 9:21 AM
  • User-1672470423 posted

    Yes, as your site http://mysite.com is requesting WebAPI's methods.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, December 1, 2016 3:10 PM

All replies

  • User-1672470423 posted

    Origins: You need to specify the valid URL's that are actually accessing the API's. Usually web client URL's accessing the WebAPI's. So that they are allowed cross domain request. You can set more than one origins value separated by commas & * means to allow all.

    Headers: The Request header parameter specifies which Request headers are allowed. To allow any header set value to *. This could be your custom header, Accept, Accept-Language, Content-Language, Content-Type, or Last-Event-ID

    Methods: The methods parameter specifies which HTTP methods (GET/POST/PUT) are allowed to access the resource. To allow all methods, use the wildcard value “*”. Otherwise set comma separated method name to allow set of methods to access the resources.

    You can also check the link below for detailed explanation:

    https://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, November 30, 2016 2:55 PM
  • User264732274 posted

    see the code

    [EnableCors(origins: "http://www.example.com", headers: "*", methods: "*")]
    public class ItemsController : ApiController
    {
        public HttpResponseMessage GetAll() { ... }
        public HttpResponseMessage GetItem(int id) { ... }
        public HttpResponseMessage Post() { ... }
    
        [DisableCors]
        public HttpResponseMessage PutItem(int id) { ... }
    }

      origins: "http://www.example.com" my controller name is item controller but different url has been specific here.........does it work ?

    when we host web api in IIS then i will access like http://IPaddres/controller name and action name

    so what url i need to specify for origins ?

    please guide me. thanks

    Wednesday, November 30, 2016 7:26 PM
  • User-2057865890 posted

    Hi Sudip_inn,

    For example, the request is a cross-origin request from http://localhost:xxxx to http://localhost, gives the domain of the site that is making the request.

    [EnableCors(origins: "http://localhost:xxxx", headers: "*", methods: "*")]

    Best Regards,

    Chris

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, December 1, 2016 9:21 AM
  • User264732274 posted

    if my site name would be mysite.com then origin would look like

    [EnableCors(origins: "http://mysite.com", headers: "*", methods: "*")]

    thanks

    Thursday, December 1, 2016 3:00 PM
  • User-1672470423 posted

    Yes, as your site http://mysite.com is requesting WebAPI's methods.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, December 1, 2016 3:10 PM