
82 lines
2.8 KiB

.. _cors-policy:
Specifying a CORS Policy
By `Mike Wasson`_
Browser security prevents a web page from making AJAX requests to another domain. This restriction is called the *same-origin policy*, and prevents a malicious site from reading sensitive data from another site. However, sometimes you might want to let other sites make cross-origin requests to your web app.
`Cross Origin Resource Sharing <>`_ is a W3C standard that allows a server to relax the same-origin policy. Using CORS, a server can explicitly allow some cross-origin requests while rejecting others. This topic shows how to enable CORS in your ASP.NET MVC 6 application. (For background on CORS, see :ref:`aspnet:cors-how-cors-works`.)
Add the CORS package
In your project.json file, add the following:
.. literalinclude:: cors-policy/sample/project.json
:language: json
:lines: 5,9-10
:emphasize-lines: 2
Configure CORS
To configure CORS, call ``ConfigureCors`` in the ``ConfigureServices`` method of your ``Startup`` class, as shown here:
.. literalinclude:: cors-policy/sample/Startup.cs
:language: csharp
:lines: 10-21,27
:dedent: 8
This example defines a CORS policy named "AllowSpecificOrigin" that allows cross-origin requests from "" and no other origins. The lambda takes a ``CorsPolicyBuilder`` object. To learn more about the various CORS policy settings, see :ref:`aspnet:cors-policy-options`.
Apply CORS Policies
The next step is to apply the policies. You can apply a CORS policy per action, per controller, or globally for all controllers in your application.
Per action
Add the ``[EnableCors]`` attribute to the action. Specify the policy name.
.. literalinclude:: cors-policy/sample/Controllers/HomeController.cs
:language: csharp
:lines: 7-13
:dedent: 4
Per controller
Add the ``[EnableCors]`` attribute to the controller class. Specify the policy name.
.. literalinclude:: cors-policy/sample/Controllers/HomeController.cs
:language: csharp
:lines: 6-8
:dedent: 4
Add the ``CorsAuthorizationFilterFactory`` filter to the global filter collection:
.. literalinclude:: cors-policy/sample/Startup.cs
:language: csharp
:lines: 10-12,22-26
:dedent: 8
The precedence order is: Action, controller, global. Action-level policies take precedence over controller-level policies, and controller-level policies take precedence over global policies.
Disable CORS
To disable CORS for a controller or action, use the ``[DisableCors]`` attribute.
.. literalinclude:: cors-policy/sample/Controllers/HomeController.cs
:language: csharp
:lines: 15-19
:dedent: 4