How to disable CORS completely in WebAPI

Question

We need to disable CORS in WebAPI project and I have commented out below line in Startup.cs class and public void Configuration(IAppBuilder app) method.

        app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);

By going through thread, following request is sent

curl -H "Origin: http://www.google.com" --verbose \ http://localhost:23422/api/values

Response

HTTP/1/1 200 OK
Content-Type: application/json; charset=utf-8
Server: XXXX
X-SourceFiles: XXX
X-Powered-By: ASP.NET
[
 "value1",
 "value2"
]

It does work and gives back the actual result. Does it mean that the CORS is still supported? I assumed it to not to return any values since I am requesting it from google.com.

However, when I try the below request. It returns back 405 Method Not Allowed

curl  -H "Access-Control-Request-Method: GET" -H "Origin: http://google.com" --head \ http://localhost:44312/api/values

Response

HTTP/1/1 405 Method Not Allowed
Allow: GET,POST
Content-Type: application/json; charset=utf-8
Server: XXXX
X-SourceFiles: XXX
X-Powered-By: ASP.NET
{
  "message": "The requested resource does not support http method "OPTIONS"."
}

When you run this command do you get allow cross origin header in the response? if not then CORS isn't allowed. — Daniel Manta, Jan 16 '18 at 16:18

Daniel Manta · Accepted Answer · 2018-01-16T16:44:38.233

Since you're not getting allow cross origin header in the response (when your request has the header), this does not prove that cross origin is still enabled.

Assuming cross origin is disabled why do you still get data? Because CORS error happen in an internet browser. It is the browser that block the access. A script written in C#, Powershell, etc, would still have access to resources in any public domain since it's running on a PC, not in an Internet browser.

score 1 · Answer 2 · answered May 02 '21 at 18:45

This works for me in ASP Net Core:

I had similar problem.

In ConfigureServices:

services.AddCors();

In Configure:

// global cors policy
            app.UseCors(x => x
                .AllowAnyMethod()
                .AllowAnyHeader()
                .SetIsOriginAllowed(origin => true) // allow any origin
                .AllowCredentials()); // allow credentials

Install NuGet Package: Microsoft.AspNetCore.Cors

<PackageReference Include="Microsoft.AspNetCore.Cors" Version="2.2.0" />

Now its possible to call the api from the browser using ex. Javascript.

Found here: https://jasonwatmore.com/post/2020/05/20/aspnet-core-api-allow-cors-requests-from-any-origin-and-with-credentials

How to disable CORS completely in WebAPI

2 Answers2