include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example ASP.NET Core MVC: ---- [HttpGet] public string Get() { Response.Headers.Add("Access-Control-Allow-Origin", "*"); // Sensitive Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive } ---- ---- public void ConfigureServices(IServiceCollection services) { services.AddCors(options => { options.AddDefaultPolicy(builder => { builder.WithOrigins("*"); // Sensitive }); options.AddPolicy(name: "EnableAllPolicy", builder => { builder.WithOrigins("*"); // Sensitive }); options.AddPolicy(name: "OtherPolicy", builder => { builder.AllowAnyOrigin(); // Sensitive }); }); services.AddControllers(); } ---- ASP.NET MVC: ---- public class HomeController : ApiController { public HttpResponseMessage Get() { var response = HttpContext.Current.Response; response.Headers.Add("Access-Control-Allow-Origin", "*"); // Sensitive response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "*"); // Sensitive } } ---- ---- [EnableCors(origins: "*", headers: "*", methods: "GET")] // Sensitive public HttpResponseMessage Get() => new HttpResponseMessage() { Content = new StringContent("content") }; ---- User-controlled origin: [source,csharp] ---- String origin = Request.Headers["Origin"]; Response.Headers.Add("Access-Control-Allow-Origin", origin); // Sensitive ---- == Compliant Solution ASP.NET Core MVC: [source,csharp] ---- [HttpGet] public string Get() { Response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com"); // Safe Response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com"); // Safe } ---- [source,csharp] ---- public void ConfigureServices(IServiceCollection services) { services.AddCors(options => { options.AddDefaultPolicy(builder => { builder.WithOrigins("https://trustedwebsite.com", "https://anothertrustedwebsite.com"); // Safe }); options.AddPolicy(name: "EnableAllPolicy", builder => { builder.WithOrigins("https://trustedwebsite.com"); // Safe }); }); services.AddControllers(); } ---- ASP.Net MVC: [source,csharp] ---- public class HomeController : ApiController { public HttpResponseMessage Get() { var response = HttpContext.Current.Response; response.Headers.Add("Access-Control-Allow-Origin", "https://trustedwebsite.com"); response.Headers.Add(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com"); response.AppendHeader(HeaderNames.AccessControlAllowOrigin, "https://trustedwebsite.com"); } } ---- [source,csharp] ---- [EnableCors(origins: "https://trustedwebsite.com", headers: "*", methods: "GET")] public HttpResponseMessage Get() => new HttpResponseMessage() { Content = new StringContent("content") }; ---- User-controlled origin validated with an allow-list: [source,csharp] ---- String origin = Request.Headers["Origin"]; if (trustedOrigins.Contains(origin)) { Response.Headers.Add("Access-Control-Allow-Origin", origin); } ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] include::../highlighting.adoc[] ''' == Comments And Links (visible only on this page) === on 25 Jan 2021, 17:38:16 Costin Zaharia wrote: How CORS works: \https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0#how-cors For Asp.Net Web Api: https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api#enable-cors Asp.Net Core: https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0   include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]