Skip to main content
BuyLog In
Business Intelligence Dashboard
Search in…
Docs > Create the Designer and Viewer Applications > Web Dashboard > HTML JavaScript Dashboard Control > Cross-Origin Resource Sharing (CORS)
A newer version of this page is available. .
All docs
V19.1
Dashboard
Get Started
Basic Concepts and Terminology
Common Features
Create the Designer and Viewer Applications
WinForms Designer
WinForms Viewer
Web Dashboard
Web Dashboard Technical Overview
Supported Browsers
Required Client Libraries
HTML JavaScript Dashboard Control
Client-Side Configuration (Angular)
Client-Side Configuration (React)
Client-Side Configuration (Vue)
Client-Side Configuration (Global Namespaces)
Server-Side Configuration (ASP.NET MVC)
Server-Side Configuration (ASP.NET Core)
Upgrade to a New Package Version
Cross-Origin Resource Sharing (CORS)
Client-Side API Overview
Designer and Viewer Modes
Access to Underlying Widgets
Appearance Customization
Manage Dashboard State
Extend Web Dashboard Functionality
Create a Custom Item
ASP.NET MVC Dashboard Extension
ASP.NET Core Dashboard Control
ASP.NET Web Forms Dashboard Control
Mobile Layout
Error Logging
Security Considerations
Microsoft Azure Specifics
UI Elements
WPF Viewer
Create Dashboards
Visual Studio Integration
End-User Documentation
Localization
Redistribution and Deployment
Video Tutorials
Migration Guides
Examples
Member Tables
.NET Framework API Reference
.NET Core API Reference
HTML JS Control API Reference
ASP.NET Client API Reference
Download CHM

Cross-Origin Resource Sharing (CORS)

  • 3 minutes to read

On the web, you need to set up cross-origin resource sharing (CORS) on your back-end to configure corresponding permissions to access resources from a server at a different origin.

The Web Dashboard Control uses a JSON contract between server and client. According to Hypertext Transfer Protocol (HTTP/1.1) standard, the Web Dashboard control add the Content-Type: application/json HTTP header for each post request. If you use CORS in your application, you should set ‘Content-Type’ as an allowed header.

Enable CORS for ASP.NET Web Forms and MVC

For ASP.NET Web Forms and MVC, you can configure CORS in the Web.config file.

Simple way

To allow CORS requests from all origins, add the following custom headers:

<configuration>
    <system.webServer> 
        <httpProtocol> 
            <customHeaders> 
                <add name="Access-Control-Allow-Origin" value="*" />  
                <add name="Access-Control-Allow-Headers" value="Content-Type" /> 
            </customHeaders> 
        </httpProtocol> 
    </system.webServer>
</configuration>

Specify the client application’s URL directly to prohibit any client from getting access to your server with personal info. Use the Access-Control-Allow-Origin response header to set it up:

<customHeaders> 
    <add name="Access-Control-Allow-Origin" value="https://example.com" />
    <add name="Access-Control-Allow-Headers" value="Content-Type" /> 
</customHeaders>

In the example above, the policy allows cross-origin requests from https://example.com and no other origins. Change this url to the url where the HTML JavaScript Dashboard is hosted.

You can add the EnableCORS attribute to DashboardController to enable CORS only for DashboardControl.

Enable CORS for ASP.NET Core

Important

The Microsoft.AspNetCore.Cors NuGet package is required for ASP.NET Core Dashboard server.

You can configure CORS in the Startup.cs file.

Simple way

In a ConfigureServices method, use the AllowAnyOrigin method to allow CORS requests from all origins. 

public void ConfigureServices(IServiceCollection services) {
    services
        .AddCors(options => {
            options.AddPolicy("AllowAnyOrigin", builder => {
                builder.AllowAnyOrigin();
                builder.WithHeaders("Content-Type");
            });
        });
    // ...
}

In a Configure method, call UseCors before UseMvc and pass the policy name as a parameter:

public void Configure(IApplicationBuilder app, IHostingEnvironment env) {
    // ...
    app.UseCors("AllowAnyOrigin");
    app.UseMvc(routes => { ... });
}

In a ConfigureServices method, specify the client application’s URL directly to prohibit any client from getting access to your server with personal info. Use the WithOrigins method to set it up:

public void ConfigureServices(IServiceCollection services) {
    services
        .AddCors(options => {
            options.AddPolicy("AllowCORSPolicy", builder => {
                builder.WithOrigins("https://example.com");
                builder.WithHeaders("Content-Type");
            });
        });
    // ...
}

In a Configure method, call UseCors before UseMvc and pass the policy name as a parameter:

public void Configure(IApplicationBuilder app, IHostingEnvironment env) {
    // ...
    app.UseCors("AllowCORSPolicy");
    app.UseMvc(routes => { ... });
}

In the example above, the policy allows cross-origin requests from https://example.com and no other origins. Change this url to the url where the HTML JavaScript Dashboard is hosted.

You can add the EnableCORS attribute to DashboardController to enable CORS only for DashboardControl.