How to disable CORS completely in WebAPI

We need to disable CORS in WebAPI project and I have commented out below line in Startup.cs class and public void Configuration(IAppBuilder app) method.

        app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);

By going through thread, following request is sent

curl -H "Origin: http://www.google.com" --verbose \ http://localhost:23422/api/values

Response

HTTP/1/1 200 OK
Content-Type: application/json; charset=utf-8
Server: XXXX
X-SourceFiles: XXX
X-Powered-By: ASP.NET
[
 "value1",
 "value2"
]

It does work and gives back the actual result. Does it mean that the CORS is still supported? I assumed it to not to return any values since I am requesting it from google.com.

However, when I try the below request. It returns back 405 Method Not Allowed

curl  -H "Access-Control-Request-Method: GET" -H "Origin: http://google.com" --head \ http://localhost:44312/api/values

Response

HTTP/1/1 405 Method Not Allowed
Allow: GET,POST
Content-Type: application/json; charset=utf-8
Server: XXXX
X-SourceFiles: XXX
X-Powered-By: ASP.NET
{
  "message": "The requested resource does not support http method "OPTIONS"."
}

1 answer

  • answered 2018-01-16 16:38 derloopkat

    Since you're not getting allow cross origin header in the response (when your request has the header), this does not prove that cross origin is still enabled.

    Assuming cross origin is disabled why do you still get data? Because CORS error happen in an internet browser. It is the browser that block the access. A script written in C#, Powershell, etc, would still have access to resources in any public domain since it's running on a PC, not in an Internet browser.