In this post we will focus on how to enable CORS in ASP.Net Core application, get knowledge about CORS policy how we can share resource through different origin.

Topic will be discussed:

• What is CORS?
• Create .Net Core WebApi Application
  • Add Packages
  • Add Database Connection
  • Enable CORS
• Publishing to IIS
• Share Through .Net Core Sample Application

 

Introduction:  First let’s get introduced with CORS, from Wikipedia, Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the resource originated.

Get more details from docs.asp.net. Ok Let’s get started with our topic with a sample application.

Create  New Application: Open Visual Studio 2015 then go top menu and Click > File > New > Project

Choose Web API template

Finally .Net Core Welcome page will appear. Read more about .net Core.

First we need to add required Packages to sample application, here we have added those packages listed below in project.json file. After putting all those packages in our project config file they will automatically added to our application by IDE.

project.json

//EntityFrameworkCore
"Microsoft.EntityFrameworkCore.SqlServer": "1.0.1",
"Microsoft.EntityFrameworkCore.Tools": "1.0.0-preview2-final",
"Microsoft.EntityFrameworkCore.SqlServer.Design": "1.0.1",
"Microsoft.EntityFrameworkCore": "1.0.1",

//Cross Origin Resource Sharing
"Microsoft.AspNetCore.Cors": "1.0.0"

Now let’s add Database connection to our application. Open appsettings.json file, we have put down our database connection string here as you can see from the below code section.

appsettings.json

{
  "ConnectionStrings": {
    "dbConn": "Server=DESKTOP-JAKRV2S;Database=PhoneBook;Trusted_Connection=True;MultipleActiveResultSets=true"
  },
  "Logging": {
    "IncludeScopes": false,
    "LogLevel": {
      "Default": "Debug",
      "System": "Information",
      "Microsoft": "Information"
    }
  }
}

After that we need to call it in our application middle-ware in Startup.cs.

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();
    var connection = @"Server=DESKTOP-JAKRV2S;Database=PhoneBook;Trusted_Connection=True;";
    services.AddDbContext(options => options.UseSqlServer(connection));
}

Now we are going to add & enable CORS to our sample API application. Open Startup.cs file from solution explorer, as you can see i have added the CORS service in ConfigureServices method to enabled it by getting called on run-time.

Here we have also specified different CORS enable policy by using CorsPolicyBuilder. You may test by enabling different types with this sample application.

Startup.cs : ConfigureServices

services.AddCors(
    options => options.AddPolicy("AllowCors",
    builder =>
    {
        builder
        //.WithOrigins("http://localhost:4456") //AllowSpecificOrigins;
        //.WithOrigins("http://localhost:4456", "http://localhost:4457") //AllowMultipleOrigins;
        .AllowAnyOrigin() //AllowAllOrigins;

        //.WithMethods("GET") //AllowSpecificMethods;
        //.WithMethods("GET", "PUT") //AllowSpecificMethods;
        //.WithMethods("GET", "PUT", "POST") //AllowSpecificMethods;
        .WithMethods("GET", "PUT", "POST", "DELETE") //AllowSpecificMethods;
        //.AllowAnyMethod() //AllowAllMethods;

        //.WithHeaders("Accept", "Content-type", "Origin", "X-Custom-Header");  //AllowSpecificHeaders;
        .AllowAnyHeader(); //AllowAllHeaders;
    })
);

Let’s Separate the Code:  

With Origin: Enable CORS with All, Multiple or Specific Origin

Allow Specific Origin

builder.WithOrigins("http://localhost:4456")

Allow Multiple Origins

builder.WithOrigins("http://localhost:4456", "http://localhost:4457")

Allow All Origins

builder.AllowAnyOrigin()

With Methods: Enable CORS with All, Multiple or Specific Methods

Allow Specific Methods

builder.WithMethods("GET", "PUT", "POST", "DELETE")

Allow All Methods

builder.AllowAnyMethod()

With Headers: Enable CORS with All or Specific Headers

Allow Specific Headers

builder.WithHeaders("Accept", "Content-type", "Origin", "X-Custom-Header")

Allow All Headers

builder.AllowAnyHeader()

After that we have enabled CORS for your application using an extension method “UseCors“.

Startup.cs : Configure

//Enable CORS policy "AllowCors"
app.UseCors("AllowCors");

Finally the Full Startup.cs

public class Startup
{
    public Startup(IHostingEnvironment env)
    {
        var builder = new ConfigurationBuilder()
            .SetBasePath(env.ContentRootPath)
            .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
            .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);

        if (env.IsEnvironment("Development"))
        {
            // This will push telemetry data through Application Insights pipeline faster, allowing you to view results immediately.
            builder.AddApplicationInsightsSettings(developerMode: true);
        }

        builder.AddEnvironmentVariables();
        Configuration = builder.Build();
    }

    public IConfigurationRoot Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container
    public void ConfigureServices(IServiceCollection services)
    {

        //Add database services.
        var connectionString = this.Configuration.GetConnectionString("dbConn");
        services.AddDbContext(options => options.UseSqlServer(connectionString));

        // Add framework services.
        services.AddApplicationInsightsTelemetry(Configuration);

        services.AddMvc();

        //Add CORS services.
        //services.Configure(options =>
        //{
        //    options.Filters.Add(new CorsAuthorizationFilterFactory("AllowSpecificOrigin"));
        //});

        services.AddCors(
            options => options.AddPolicy("AllowCors",
            builder =>
            {
                builder
                //.WithOrigins("http://localhost:4456") //AllowSpecificOrigins;
                //.WithOrigins("http://localhost:4456", "http://localhost:4457") //AllowMultipleOrigins;
                .AllowAnyOrigin() //AllowAllOrigins;

                //.WithMethods("GET") //AllowSpecificMethods;
                //.WithMethods("GET", "PUT") //AllowSpecificMethods;
                //.WithMethods("GET", "PUT", "POST") //AllowSpecificMethods;
                .WithMethods("GET", "PUT", "POST", "DELETE") //AllowSpecificMethods;
                                                                //.AllowAnyMethod() //AllowAllMethods;

                //.WithHeaders("Accept", "Content-type", "Origin", "X-Custom-Header");  //AllowSpecificHeaders;
                .AllowAnyHeader(); //AllowAllHeaders;
            })
        );

    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline
    public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
    {
        loggerFactory.AddConsole(Configuration.GetSection("Logging"));
        loggerFactory.AddDebug();

        app.UseApplicationInsightsRequestTelemetry();

        app.UseApplicationInsightsExceptionTelemetry();

        app.UseMvc();

        //Enable CORS policy "AllowCors"
        app.UseCors("AllowCors");

    }
}

MVC WebApi:

Here are list of required Namespace.

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Cors;
using CrossOrigin.WebService.Models.DbEntities;
using Microsoft.EntityFrameworkCore;

Api Controller:  Here we are applying specific CORS policy on APiController. It is also can be applied on per action based or globally for all controllers based.

[EnableCors("AllowCors"), Route("api/[controller]")]
public class ContactController : Controller
{
    private PhoneBookContext _ctx = null;
    public ContactController(PhoneBookContext context)
    {
        _ctx = context;
    }

    // GET: api/Contact/GetContact
    [HttpGet("GetContact"), Produces("application/json")]
    public async Task

We can disable CORS by using attribute “DisableCors“. In this controller we have applied on “PUT” method to disable CORS.

Publishing to IIS: We need to prepare our Server for ASP.net Core application to host. Get more details on Publish .Net Core Application. We have used localhost with assigning port 8081 to get accessed by our Sharing application.

http://localhost:8081

Let’s browse our application by using http://localhost:8081 url, as you can see our API is working with response of JSON data.

Now, time to access the shared resource. I have added an existing sample application to this solution, Below is the simple change that i have made to access the resource via API from different origin.

Share Resource:

 public _saveUrl: string = 'http://localhost:8081/api/Contact/PostContact';
 public _updateUrl: string = 'http://localhost:8081/api/Contact/PutContact';
 public _getUrl: string = 'http://localhost:8081/api/Contact/GetContact';
 public _getByIdUrl: string = 'http://localhost:8081/api/Contact/GetContactByID';
 public _deleteByIdUrl: string = 'http://localhost:8081/api/Contact/DeleteContactByID';

Here we have tried to access the resource through  http://localhost:8081 but occurred server error, as you can see below.

After enabled CORS we have successfully able to access the shared resource through Web API.

Output:

Source Code: I’ve uploaded the full source code to download/clone , Hope this will help 🙂