4,815 questions
CORS setting in asp.net core 6.0 is not restricting the Origins
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 87%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENK%3C/text%3E%3C/svg%3E)
Nalswamy Kandaswamy
1
Reputation point
Hi There,
I have created an ASP.NET Core 6.0 Web API and trying to set cors policy. I have applied policy only to allow few origins, but it is not working as expected instead it allows for all the sites which consumes this API. Can you please help me what I am missing?
Here is my program.cs file.
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddCors(options =>
{
options.AddPolicy("myPolicy",
policy =>
{
policy.WithOrigins("http://example.com").AllowAnyHeader().AllowAnyMethod();
});
});
builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
builder.Services.AddDbContext(options =>
options.UseSqlServer(builder.Configuration.GetConnectionString("defaultConnection")));
//builder.Services.AddCors();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseCors("myPolicy");
app.UseAuthorization();
app.MapControllers();
app.Run();
Expected Behavior
I was expected to allow access to the endpoints only for the requests from example.com, but it allows for all other sites too
Developer technologies ASP.NET ASP.NET Core
{count} votes
-
AgaveJoe 30,126 Reputation points2022-06-28T10:36:23.59+00:00 I was expected to allow access to the endpoints only for the requests from example.com, but it allows for all other sites too
CORS does not allow or deny access to resources. CORS uses headers to let the browser know if cross-origin resource sharing is allowed. If CORS is not allowed the browser throws an exception after receiving the HTTP response. CORS only applies to browsers and does not affect HTTP request from another server or code.
Cross-Origin Resource Sharing (CORS)
Enable Cross-Origin Requests (CORS) in ASP.NET CoreI think you are confusing CORS with Authorization. Authorization restricts access to resource using a token passed in the HTTP header. The token contains information that identifies the user and user's claims.
-
Nalswamy Kandaswamy 1 Reputation point
2022-06-28T11:25:12.743+00:00 Thank you very much for the reply, I got it now.
Sign in to comment
Sign in to answer