Enable CORS on WebAPI appears not working from Postman

2
votes

I'm trying to enable CORS for specific domains. I've followed everything they say to so on here:

https://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api

I enabled cors on the WebApiConfig. I set the attribute on my controller class with each domain separated by commas. I also tried implementing my own ICorsPolicyProvider class. When I test the code on Postman it's always returning the values despite having a domain not on the list of origins as the origin. I've noticed that the headers returned do not include the Access-Control-Allow-Origin header. I'm using Microsoft.AspNet.WebApi Version 5.2.3. I can't figure out what I'm doing wrong.

Any and all help is greatly appreciated. Thank you.

1
corsasp.net-web-api2

1 Answers

1
votes

The client (browser or Postman) is responsible for enforcing CORS. The mechanics are such that when JavaScript attempts a cross-origin AJAX call, the browser will check if this is allowed.

Solution in your case: Try making the requests to the controller from JavaScript in a browser and you should see the behaviour you are expecting.

As a Chrome extension, Postman can make requests outside its origin: https://developer.chrome.com/extensions/xhr