How do I add CORS headers on a per folder basis on IIS?

Question

I have some images on my site that I need to enable cross-domain access for, but I don't want to add it to all images. I know I could do this:

<configuration>
 <system.webServer>
   <httpProtocol>
     <customHeaders>
       <add name="Access-Control-Allow-Origin" value="*" />
     </customHeaders>
   </httpProtocol>
 </system.webServer>
</configuration>

But is there a way to restrict the custom header to only one folder on my site?

Answer 1

Yes, there is. Just create a new web.config file in that folder, and it will apply to that folder only.

Answer 2

If Daniel Liuzzi's answer does not work for you, allow anonymous access to the images folder as well:

If you are using ASP authentication, what appears as a CORS authentication issue may instead be an access problem triggered by ASP authentication and the redirect to your login page.

<configuration>
    <!-- allow all access to the folder in question -->
    <system.web>
      <authorization>
        <allow users="?,*" />
      </authorization>
    </system.web>

 <!-- Daniel Liuzzi's mime header (above) for CORS access -->
 <system.webServer>
   <httpProtocol>
     <customHeaders>
       <add name="Access-Control-Allow-Origin" value="*" />
     </customHeaders>
   </httpProtocol>
 </system.webServer>
</configuration>