Menu
In my StartUp.cs I have the following setup for CORS.
services.AddCors(_ => _.AddPolicy("LocalDev", __ => __
.AllowAnyOrigin()
.AllowAnyHeader()
.WithMethods("GET", "POST", "PUT", "DELETE")
));
It works as expected. However, I noticed that removing GET and POST doesn't seems to affect the funtionality. Removing PUT or DELETE has effect, though. I'm confused by this.
Is it the case that the methods for getting and posting enjoy a special status while the others are required to be explicitly provided? I haven't found any references on that in MSDN for the method.
957
.WithMethods affects GET/POST requests only when they trigger a CORS preflight OPTIONS request — basically, any GET or POST that includes custom request headers. If a GET or POST doesn’t include any custom request headers, then it won’t trigger a CORS preflight OPTIONS request, and so it will be allowed regardless of what the .WithMethods setting is.
In CORS protocol terms, .WithMethods sets the Access-Control-Request-Headers header value, which browsers only consult for responses to a CORS preflight OPTIONS requests.
For requests that do trigger a CORS preflight, an intersection of conditions is required; i.e., the request must have both the right origin and the right method. But for requests that don’t trigger a CORS preflight OPTIONS request, there is by definition no “right” method — because in that case, any Access-Control-Allow-Method header is irrelevant and ignored. Or maybe rather, conceptually, it’s more clear to just say that there’s a hard-coded list of “right” methods: the set of CORS-safelisted methods — GET, HEAD, or POST — defined in the Fetch spec.
74
.WithMethods affects GET/POST requests only when they trigger a CORS preflight OPTIONS request — basically, any GET or POST that includes custom request headers.
31
answered Sep 07 '25 23:09
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
