Browsers usually apply same-origin restrictions to network requests. These restrictions would prevent a malicious page from making a cross origin request initiated from within a script. As an example, this means ordinarily a script served from
https://foo.comcannot make a request to
https://bar.com. However, there are instances in which you may want to allow sites to make these requests. For example, it's a common practice the split the web frontend (
https://contoso.com) from the service hosting your API (
https://api.contoso.com). For such scenarios to work, you will need to configure your API to reply with appropriate CORS headers. The IIS CORS module provides a way for web administrators and web site authors to easily support the CORS protocol by delegating all CORS protocol handling to the module.