Default browsers will not allow javascript to make requests to a domain different from where the javscript belongs - this is called SOP Same Origin Policy.

In the drawing there are 2 domains :

• a.com : index.html is loaded from a.com. 
  index.html is embedding some javascript that tries to make an XmlHttpRequest to b.com
• b.com : hosts some good API from where the javascript embedded in index.html (loaded from a.com) want to get some data.

Understanding Javascript Origin

Say you have the following index.html file loaded in your browser from the domain a.com :

<htm>
    <head>
        <script src="http://c.com/some-file.js"></script>
        <script>
            ... embedded javascript ...
        </script>
        ...
    </head>
    ...
</html>

, you can see that the index.html contains 2 sections of javascript :

• referenced section loaded from c.com
• embedded section

In both cases, reference or embedded, the origin of the javascript is the domain from which the html was loaded, a.com, - so even if the referenced javascript is loaded from c.com, it's origin is NOT c.com but instead the domain from which the html was loaded, a.com.

• Same Origin Request : javascript loaded by http://a.com/index.html makes an XmlHttpRequest to a.com - same domain as the index.html.
• Cross Origin Request : javascript loaded by http://a.com/index.html makes an XmlHttpRequest to b.com - other domain than the index.html.

How the browser handles cross origin requests

The generally used browsers (like Chrome, FireFox etc.) all implement a Same Origin Policy that does NOT allow javascript to make cross origin requests UNLESS the requested server deliberately allows it.

Before making a cross origin request typically the browser will send a pre-flight request to see if the server deliberately allows requests from that particular origin : 

1. The browser sends a pre-flight request : (note that not all cross site requests are pre-flight, however the conditions determining whether a request is pre-flighted are far too detailed to go through here)
   • GET /some/path/on/requested/host HTTP/1.1
   • Host: b.com
   • Origin: http://a.com
2. The server may respond :
   • HTTP/1.1 200 OK
   • Access-Control-Allow-Origin: *
3. The browser allows the cross origin request

In the above example, the server (b.com) have deliberately told the browser that requests from any (*) origin including a.com should be allowed by sending Access-Control-Allow-Origin:* in the response header.

Alternatively the server, b.com, may respond with :

• Access-Control-Allow-Origin: a.com // browser will allow the request
• Access-Control-Allow-Origin: c.com // browser will NOT allow the request
• No Access-Control-AllowOrigin header // browser will NOT allow the request

Note that new browsers also regard different ports to be different origins.

ASP.NET Core CORS examples :

Different servers have different methods of setting the Access-Control-AllowOrigin header, here is how it is done in ASP.NET Core:

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddCors(options =>
        {
            options.AddPolicy("all", builder => // defining a CORS policy called "all"
            {
                builder.WithOrigins("*");
            });
        });
 
        // ..
    }
 
    Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        app.UseCors("all"); // use the "all" policy
 
        // ..
    }
}

In ASP.NET Core a CORS service needs to be added to the DI Container (services) and the CORS service must be added at least one CORS policy.

A CORS policy is created using a CorsPolicyBuilder and is registered with a name, eg. above I have a policy called "all" that will allow all origins to request resources on this server.

Fine tuning the CORS policy

Access-Control-Allow-Origin is the most important header entry to control CORS, however browsers supports 2 other CORS related headers, here is an example :

• Possible server response :
  • Access-Control-Allow-Origin : https://bar.example http://abc.com
  • Access-Control-Allow-Method : PUT
  • Access-Control-Allow-Header : x-my-custom-header

Using the CorsPolicyBuilder It is possible to fine tune how the ASP.NET Core server responds, the CorsPolicyBuilder have the following methods :

• .WithOrigins() :
• .WithHeaders() :
• .WithMethods() :
• .AllowAnyOrigin() :
• .AllowAnyHeader() :
• .AllowAnyMethod() :
• .WithExposedHeaders() :
• .SetPreFlighMaxAge() :

Eg. to create the server response above, we would have :

services.AddCors(options =>
{
   options.AddPolicy("clients", builder => // say we have 2 clients a.com & bar.example
   {
       builder.WithOrigins("https://a.com", "http://bar.example")
           .WithHeaders("x-my-custom-header")
           .WithMethods("PUT");
   });
 
});

In ASP.NET Core it is possible to control CORS behaviour on a specific HTTP endpoint by setting the CORS policy on Action methods using the EnableCors attribute : (it is also possible to set the EnableCors attribute on Controller level)

[HttpGet]
[EnableCors("PolicyName")]
public async Task<JsonResult> GetImage(string id) {
    // ..
}