1

I would like to enable by EnableCors attribute my own "MyPolicy" for one controller and for the others I would like to use default policy. So in my configure services method I write

services.AddCors(options =>
{
    options.AddPolicy(name: "MyPolicy",
        builder => builder
            .WithOrigins("http://localhost:3000")
            .AllowCredentials()
            .AllowAnyMethod()
            .AllowAnyHeader());

    options.AddDefaultPolicy(
            builder => builder
            .AllowAnyOrigin()
            .AllowAnyMethod()
            .AllowAnyHeader());
});

and than in Configure method I just call:

app.UseCors();

it does not work as I expected. It's only define DefaultPolicy and the only way to use "MyPolicy" is to use them as:

app.UseCors("MyPolicy");

But in this case default policy does not work. Is it possible to define own policies by AddPolicy and default policy by AddDefaultPolicy.

Improve this question
4
  • Which version of ASP.NET Core? Commented Jul 10, 2020 at 12:08
  • ASP.NET Core 2.2 Commented Jul 10, 2020 at 12:10
  • 2
    Have you looked into learn.microsoft.com/en-us/aspnet/core/security/… ? The Attribute Based Approach in combination with the default CORS policy might fit you. Please Provide the controller code if you have tried to annotate the Routes with the CORS Attribute. Commented Jul 10, 2020 at 12:23
  • I read this before but now I try to not UseCorse in Configure method as in ms doc listening. I use only attribute approach in controllers and it's work as I expected. I wanted to combine UseCorse in configure method and attribute approach but it doesn't work. Commented Jul 10, 2020 at 12:40

1 Answer 1

Reset to default
5

If you would like to use many own policies and default policy the solution is to define in configureservices:

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddDefaultPolicy(
            builder =>
            {
               
                builder.WithOrigins("http://example.com",
                                    "http://www.contoso.com");
            });

        options.AddPolicy("AnotherPolicy",
            builder =>
            {
                builder.WithOrigins("http://www.contoso.com")
                                    .AllowAnyHeader()
                                    .AllowAnyMethod();
            });

    });

    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}

and use policies through EnableCorsAttribute like this:

  // GET api/values
    [EnableCors("AnotherPolicy")]
    [HttpGet]
    public ActionResult<IEnumerable<string>> Get()
    {
        return new string[] { "green widget", "red widget" };
    }

. In this case do not call UseCors method of app IApplicationBuilder object in configure method startup class.

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseHsts();
    }
    //Do not use this method:
    //app.UseCors();

    app.UseHttpsRedirection();
    app.UseMvc();
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.