Informational: CORS settings for .NET based Web Apps

Post author:Sachin Dhir
Post published:May 26, 2014
Post category:.NET / Architecture / JQuery / Security
Reading time:2 mins read

Cross-origin resource sharing (CORS) is a specification that allows web assets (like css, fonts, js) on a web page to be requested from another domain (cross-domain communication from the browser). These “cross-domain” requests are usually forbidden by web browsers, per the same origin security policy. In particular, this meant that a web application using AJAX-based XMLHttpRequest could only make HTTP requests to the domain it was loaded from, and not to other domains.

CORS can be used as a modern alternative to the JSONP pattern. While JSONP supports only the GET request method, CORS also supports other types of HTTP requests.

Below are my web.config setting to allow CORS requests from .NET based Web APIs or services deployed on IIS 7/8:

 <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
        <remove name="WebDAVModule"/>
    </modules>
    <httpProtocol>
        <customHeaders>
            <add name="Access-Control-Allow-Origin" value="*"/>
            <add name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS"/>
            <add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept" />
            <add name="Access-Control-Max-Age" value="1728000"/>
        </customHeaders>
    </httpProtocol>
    <handlers>
        <remove name="WebDAV" />
        <remove name="OPTIONSVerbHandler"/>
        <remove name="WebServiceHandlerFactory-ISAPI-4.0_32bit" />
        <remove name="WebServiceHandlerFactory-ISAPI-4.0_64bit" />
        <add name="WebServiceHandlerFactory-ISAPI-4.0_64bit" path="*.asmx" verb="GET,HEAD,POST,DEBUG,OPTIONS" modules="IsapiModule" scriptProcessor="C:WindowsMicrosoft.NETFramework64v4.0.30319aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
        <add name="WebServiceHandlerFactory-ISAPI-4.0_32bit" path="*.asmx" verb="GET,HEAD,POST,DEBUG,OPTIONS" modules="IsapiModule" scriptProcessor="C:WindowsMicrosoft.NETFrameworkv4.0.30319aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
    </handlers>
</system.webServer>

Reference: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

(Visited 231 times, 1 visits today)

Tags: CORS, iis, informational

Related Posts

You Might Also Like

Proxy Server: Forward Vs Reverse

CLICKJACKING: Protect youself from this hack

Windows – Directory structure treeview