Enabling Cross Origin Resource Sharing (CORS)


#1

Cross Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing (CORS) is a specification that enables truly open access across domain-boundaries. If you serve public content, please consider using CORS to open it up for universal JavaScript/browser access.

By default, the IIS environment is configured to deny this types of accesses as a security measure. While there are many reasons so have CORS enabled, we do recommend to put in the time to enable it in a secure manner. However, a quick method of getting the access utility up and running is to enable it for all requesting domains.

Using the Access-Control-Allow-Origin HTTP Header, you can determine what domains are allowed to pull content from your domain.

Enabling Cross Origin Resource Sharing (CORS)

As an example, if testdomain1.com is needing to pull content from testdomain2.com but the browser is reporting that the request is being denied due to disallowed CORS. The safest way of addressing this issue would be to implement the following code into the testdomain2.com web.config file.

<?xml version="1.0" encoding="utf-8"?>
 <configuration>
  <system.webServer>
   <httpProtocol>
    <customHeaders>
     <add name="Access-Control-Allow-Origin" value="testdomain1.com" />
    </customHeaders>
   </httpProtocol>
  </system.webServer>
 </configuration>

Note: While not recommended, if you are needing to quickly apply the allow rule for everything so that you can test with multiple domains, make the value of the header match the code below:

<customHeaders>
 <add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>

If at all possible we highly recommend identifying sources that need to pull content from your site, so that you are manually authorizing the action. The (*) value enables the action to pull content from your site to everything.

For more information regarding CORS and understanding how to implement common allowances, please visit the CORS resource link: