Well explained. I understand it a bit better now. I already knew how to fix the errors but this added a bit more depth to my understanding. I never saw it done the manual way before, it makes more sense. Thanks.
Nice clear overview! If you needed to dynamically apply CORS configuration based on the request (which origin, is the request authenticated, ect...) can this be done with the built-in ASPNET Core "UseCors" middleware or should this be a completely custom built middleware?
As mentioned at 15:42, you're better off using an existing CORS middleware library, in particular because implementing CORS "from scratch" (unless you're intimately familiar with the protocol) is error-prone.
You would create a named policy like he does in the video towards the end. The difference is you don't enable CORS everywhere with app.UseCors(...); instead you enable it on the endpoint with an attribute: [EnableCors("Policy1")].
I have one question about the first part of the video. Unless I missed it, there was no preflight request for "Access-Control-Allow-Origin". Is it implicit? The server still has to first reply, and tell the browser that it allows CORS, right?
Still trying to figure out what CORS actually protects from: CORS is easily bypassed, for starters. As soon as you have the server set up to allow certain origins, methods, etc, then you no longer have the same security level (the session mechanism will be sent over just like normal). I don't get how this helps with security.
As someone not already familiar with CORS at this depth I found this a little too fast. Especially when it came to the allow credentials part where Creds and "cookies" seem to get conflated and from the point I was completely lost. Will have re-watch to see if I can unpick it.
That minimal api apps are very confusing - I'm missing the part where OtherApp is calling an API. EDIT: Nvm - fetching a server app from otherapp console does this.
I've been reading and looking around to understand CORS and I got a pretty good idea about it now. I have a problem where the preflight, when my webapi is deployed to the server, always returns a 401 Unauthorized. I'm calling the webapi from a vue-site installed on the same server but different site and port. I used the app.useCors but it still didn't work when deployed. So then I expliclty put the headers for allowing origins but I still get the 401 from the preflight/OPTIONS request. In chrome I don't see the allow-origins header on for the options request and the console says the header is missing but I know for a fact that I send it. So I don't understand why the 401?? Oh, and all GET requests work just fine, it's the preflight with OPTIONS that get the 401.. Anyone has any idea about how to solve it?
![เปิดใจ พี่ญา คนรุม หลังทัวร์ลง หนักสุดในชีวิต!! l [Nickynachat]](http://i.ytimg.com/vi/2-OJZRtclro/mqdefault.jpg)
![[UNCUT] "เสรีพิศุทธ์" แฉยับ! งัดหลักฐานใหม่ชั้น 14 ได้นอนคุกสมใจแน่!! I คนดังนั่งเคลียร์ I 2 ก.ย.67](http://i.ytimg.com/vi/O1SSg4p9Izs/mqdefault.jpg)
Epic explanation! Gets directly into the golden collection 😍Thank you!
Well explained. I understand it a bit better now. I already knew how to fix the errors but this added a bit more depth to my understanding. I never saw it done the manual way before, it makes more sense. Thanks.
Great work ! Keep it up. Really appreciable !
Well explained, one of the best video I have watched for CORS. Thanks for that.
Another great well explained video. Thanks heaps for making it.
Thank you, thank you and thank you! Finally I got to understand this topic. Really well explained as always. Again thanks!
Very informative like no other. Thank you!
Good explanation. Thank you
Nice clear overview! If you needed to dynamically apply CORS configuration based on the request (which origin, is the request authenticated, ect...) can this be done with the built-in ASPNET Core "UseCors" middleware or should this be a completely custom built middleware?
As mentioned at 15:42, you're better off using an existing CORS middleware library, in particular because implementing CORS "from scratch" (unless you're intimately familiar with the protocol) is error-prone.
Thanks Anton for the awesome video
how to load origins dynamically from database ?
You are a god thank you. very nice video💙
I have several POST endpoints in my controller, how can I allow CORS only for one of them and disallow it for others?
You would create a named policy like he does in the video towards the end. The difference is you don't enable CORS everywhere with app.UseCors(...); instead you enable it on the endpoint with an attribute: [EnableCors("Policy1")].
I have one question about the first part of the video. Unless I missed it, there was no preflight request for "Access-Control-Allow-Origin". Is it implicit? The server still has to first reply, and tell the browser that it allows CORS, right?
are you reading my messages?? I literally just asked this question holy shi* man holy falgget blacakaty magati shiiii- Thank Yoouuuu
Still trying to figure out what CORS actually protects from: CORS is easily bypassed, for starters. As soon as you have the server set up to allow certain origins, methods, etc, then you no longer have the same security level (the session mechanism will be sent over just like normal). I don't get how this helps with security.
As someone not already familiar with CORS at this depth I found this a little too fast. Especially when it came to the allow credentials part where Creds and "cookies" seem to get conflated and from the point I was completely lost. Will have re-watch to see if I can unpick it.
if you implement cross origin authentication, you'll quickly realise how to fix it using that header.
@@RawCoding for example if you use identity4 for your own api, client and server auth, i came across this issue, ?
Liked And Already Subscribed Bro
That minimal api apps are very confusing - I'm missing the part where OtherApp is calling an API. EDIT: Nvm - fetching a server app from otherapp console does this.
Thanks for well explained video, can I use CORS to allow or disallow calls to my APIs from mobile apps ? if yes How to do so ?
Did you miss the part where it’s a browser security feature?
@@RawCoding Seems I did, What is the best way to secure my APIs ?
Put it on a private network
I've been reading and looking around to understand CORS and I got a pretty good idea about it now. I have a problem where the preflight, when my webapi is deployed to the server, always returns a 401 Unauthorized. I'm calling the webapi from a vue-site installed on the same server but different site and port. I used the app.useCors but it still didn't work when deployed. So then I expliclty put the headers for allowing origins but I still get the 401 from the preflight/OPTIONS request. In chrome I don't see the allow-origins header on for the options request and the console says the header is missing but I know for a fact that I send it. So I don't understand why the 401?? Oh, and all GET requests work just fine, it's the preflight with OPTIONS that get the 401.. Anyone has any idea about how to solve it?
First 😄