Simple CorsFeature question

meb · December 10, 2020, 12:11pm

Is there any way to specify all headers and all methods are allowed in the CorsFeature? I’ve had a good look and can’t see anything mentioning this. I’d like to do something similar to the aspnet core methods CorsPolicyBuilder.AllowAnyHeader() and CorsPolicyBuilder.AllowAnyMethod().

I’ve tried to use an asterisk but that didn’t seem to work. I’d also understand if it wasn’t allowed to promote an explicit allowed list as a best practice.

mythz · December 10, 2020, 1:03pm

Uses the expected * wildcard:

github.com

dotnet/aspnetcore/blob/857bb0f416b746c9eb7b9a412443b39c1701df6b/src/Middleware/CORS/src/Infrastructure/CorsPolicyBuilder.cs#L189-L194


      
          public CorsPolicyBuilder AllowAnyHeader()
          {
              _policy.Headers.Clear();
              _policy.Headers.Add("*");
              return this;
          }

Likewise for AllowAnyMethod().

Here’s the defaults for CorsFeature:

github.com

ServiceStack/ServiceStack/blob/75114b997c05a79d286247acd959c2e8d772b497/src/ServiceStack/CorsFeature.cs#L15-L17


      
          public const string DefaultOrigin = "*";
          public const string DefaultMethods = "GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD";
          public const string DefaultHeaders = "Content-Type";

Specifying an explicit whitelist for allowOrigins is preferred in order to reply with an explicit Access-Control-Alow-Origin header but I’ve not heard of the other headers requiring explicit lists.