CORS in .NET Core: .NET Core Security Part VI

In these series of posts, we will see how to secure your .NET Core applications.

In this post, we will look at CORS and how to enable CORS in your .NET Core application.

What Is CORS?

Before going into the basic question "What is CORS?", let us imagine a scenario related to that.

Let us start with a very basic example.

Suppose there are two URLs like the ones below:

http://mysite.com/abc.html
http://mysite.com/xyz.html

The above URLs look almost identical, so let us call them, "same origin."

Now, after making a little twist, we have some more URLs, as shown below:

http://mysite.in //// You have a different domain.
http://www.mysite.com/xyz.html //// You have a different sub domain
http://mysite.com:7000/abc.html //// Oh man, you have different ports!

So, since the URLs in the above example do not look similar, we'll use the term "Different origin" to describe them.

If the CORS is not enabled you might get an exception like the one below while trying to access another domain using an ajax call:

XMLHttpRequest cannot load http://www.mysite.com/. No 'Access-Control-Allow-Origin' header is present on the requested resource.

Why?

Because browser security prevents a web page from making ajax requests to another domain. This restriction is called the same-origin policy and prevents a malicious site from reading sensitive data from another site.

But what if we want to allow other domains to access our APIs?

We have a savior here: CORS!

Now the question is, "What is CORS?"

CORS stands for Cross-Origin Resource Sharing.

Per the ASP.NET Core docs, "CORS is a W3C standard that allows a server to relax the same-origin policy. Using CORS, a server can explicitly allow some cross-origin requests while rejecting others."

Simply put - CORS gives you the power to allow cross-domain calls from the specified domains.

How Does CORS Work?

• Once we use CORS, new HTTP headers are introduced which enable cross-origin requests.
• "If the browser supports CORS, the browser sets those headers automatically for cross-origin requests."
• These cross-origin requests are then sent to the server that contains the origin header which includes the domain information.
• If everything goes well with the server, the server adds an Access-Control-Allow-Origin header in the response.
• The value of the header, Access-Control-Allow-Origin, could be * in case any origin should be allowed or for when we want to allow any specific domain in the name of the domain, i.e. Access-Control-Allow-Origin: http://mysite.com
• If the response does not include the header Access-Control-Allow-Origin, the request fails.

Coming to .NET Core: Does .NET Core Support CORS?

Yes, it surely does.

It is straightforward and easy to use CORS with .NET Core.

You just need to follow below steps:

• Install the Microsoft.AspNetCore.Cors Nuget package.
• Configure CORS in the ConfigureService method.
• Enable CORS using middleware in the Configure method.
• Enable CORS in .NET Core MVC by enabling it in Controllers or actions or globally.

Install CORS Nuget Package

To install Microsoft ASP.NET Core Cross-Origin Support, run the following command in the Package Manager Console:

PM> Install-package Microsoft.AspNetCore.Cors

Or, search this on Nuget:

Configure CORS

First of all, we will add a CORS service in the Startup.cs file as shown below:

public void ConfigureServices(IServiceCollection services)
{
services.AddCors();
}

We can even create the policy and later we can use these policies' runtime:

public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("AllowMyOrigin",
builder => builder.WithOrigins("http://mysite.com"));
});
}

As you can see above, I have added the WithOrigins method which allows only specific origins to make requests.

Apart from this, there are other policy options, which are:

• AllowAnyOrigin() - Allows any origin.
• AllowAnyHeader() - Allows all HTTP headers in the request.
• WithHeaders() - Allows only specific headers.
• AllowAnyMethod() -Allows all HTTP methods.
• WithMethods() - Allows only specific HTTP methods.
• AllowCredentials() - Credentials are passed with the cross-origin request, mostly used for cookie and HTTP authentication.

Enable CORS

We can enable CORS by adding the CORS middleware in the Configure method of the Startup.cs class. By doing this, we are enabling CORS for the entire application.

public void Configure(IApplicationBuilder app)
{
app.UseCors("AllowMyOrigin");
}

Note: Apply UseCors before the UseMvc call so that the CORS middleware fires before any other endpoints.

Apply CORS in a .NET Core Application

The next step would be to apply our settings to our controllers or actions or globally.

For that, there are mainly 3 options, which we'll go over below. 

Use This in Your Attribute on the Controller's Action

Add an [EnableCors] attribute above the specific action method:

[EnableCors("AllowMyOrigin")]
public IEnumerable<string> Get()
{
  return new string[] { "value1", "value2" };
}                                       

Use This in Your Attribute on the Controller

Add an [EnableCors] attribute above the specific Controller:

[EnableCors("AllowMyOrigin")]

public class ValuesController : Controller

Apply CORS Globally

We can apply CORS globally by adding a CorsAuthorizationFilterFactory filter as shown below:

public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.Configure<MvcOptions>(options =>
{
options.Filters.Add(new CorsAuthorizationFilterFactory("AllowMyOrigin"));
});
}

That's all for today, I hope this post helps!