How to use the new CORS support in Web API 2

Many exciting new features have been enabled in ASP.NET Web API 2. This framework enables easy building of HTTP services which will reach many clients across a broad spectrum including mobile devices as well as browsers. The addition of several features has idealized this platform.

Some of the most remarkable features are attribute routing(on top of convention-based routing), Open Web Interface for .NET or OWIN self hosting, Web API Odata, IhttpActionResult and the most significant is the Cross Origin Resource Sharing which has taken the cyber world by storm. developersCORS is the short form of Cross-Origin Resource Sharing; this standard allows web pages the ability of making Ajax requests to other domains. Same-origin policy which has been implemented on browsers is relaxed; previously this policy limited calls to be just within same domain with cross-domain calls not being allowed. CORS defines the interaction of the browser along with server so that cross origin calls can be made. API supports this in its 2nd version and it is compliant with standards of W3C.

CORS is already supported by majority of modern browsers. But if we want to enable support for API services, first of all we will be needing a few assemblies to ensure that this is done smoothly. We will need System.Web.Cors.dll which is not dependent on System.Web.Http.dll or System.Web.dll and contains core CORS library; System.Web.Http.Cors.dll which contains CORS enabling library on Web API which is dependent on System.Web.Http.dll as well as System.Web.Cors.dll.

When upgrading and installing the package from nightly builds, the first thing that you have to do is create new API project by starting with new template.

Since you do not need Microsoft.AspNet.Mvc.FixedDisplayModes package, the second step is to uninstall it. In fact uninstalling this is necessary as you will be prevented from updating to recent nightly build.

The 3rd step is installing Microsoft.AspNet.WebApi.Cors package from nightly builds. Set the package source and it will enable you to see CORS package.

After that, the 4th step is to fix binding redirects that are there in web.config, otherwise there will be errors. which is existing must be replaced which will enable the smooth running of the applications.

After that you can try it out by browsing test clients available on some sites and making a fast cross-origin request. You will find Test APIs and all you have to do is click there and paste the URL on your API. Click “Send” and it will show request failed since CORS is not enabled on API by default. Now you have to enable CORS by calling config.EnableCors (new EnableCorsAttribute()). Now you have enabled CORS for all controllers and all origins will be allowed.

While we enable this a few scenarios should be considered. While enabling this, HttpConfiguration has a new method of extension added to it which will enable global support per action or per controller.

When calling EnableCors, global settings can be defined. For example we can enable the sharing globally which will allow all headers, origins and methods. EnableCorsAttribute has many settings which are easy to configure. The controller can be scoped with the support as well. You just have to call EnableCors without the provision of a global setting. Then the EnableCorsAttribute can be declared so that the controller is enabled with the support. It can also be enabled on single action in a similar manner.

An action or controller can be excluded from EnableCors as well simply by using DisableCors attribute. Custom IcorsPolicyProvider can be implemented as well so that policies or settings related to the support from other sources can be loaded dynamically.

One thing to remember when testing this with IE is that the port is not considered by IE as part of Security Identifer or the origin which is used for enforcement of Same Origin Policy. So test clients and Web API on different local hosts will hinder cross-origin requests.

You can hire developers from top .net application development companies in India who can help you build ASP.NET applications within allocated budgets and time schedules.

We provide .net application development services. If you would like to discuss with an expert .net web developer from our team, please get in touch with us at Mindfire Solutions.