Introducing IIS CORS 1.0

The IIS Team is pleased to announced the release of version 1.0 of IIS CORS Module which enables support for the Cross-Origin Resource Sharing (CORS) protocol.

CORS is a mechanism to let a user-agent to access resources from a domain outside of the domain from which the first resource was served. CORS defines a way by using additional HTTP headers to allow to request permissions to access a selected resource. In addition, some requests may even a trigger a preflight request probing supported HTTP methods from the server with an HTTP OPTIONS request. The IIS CORS module helps with setting appropriate response headers and responding to preflight requests.

Once installed, the IIS CORS module is configured via a site or application web.config and has it’s own cors configuration section within system.webserver. Have a look the configuration reference for more information.

The IIS CORS module is now available for download (x86/x64/WebPI).

We’d love to hear your feedback on using the new module. Give it a spin and let us know what you think!

7 Comments

  • Is this only for IIS 10?

  • @Sam,

    The CORS module can be used on IIS 7.5 (Windows Server 2008 R2) and above.

  • The IIS CORS module is installed and is first in the module queue.

    I added the following to the web.config

    <configuration>
    <system.webServer>
    <cors enabled="true" failUnlistedOrigins="true">
    <add origin="https://testing.test.com" allowed="true" />
    </cors>
    </system.webServer>
    </configuration>

    (testing.test.com is just a placeholder for an actual URL that I have replaced in this comment)

    I run the following curl command:

    curl -i -H "Origin: https://crap2.com" https://testing.test.com/a_page_that_returns_a_302.aspx

    In the response headers, I see this:

    Access-Control-Allow-Origin: https://crap2.com

    My understanding is that the CORS module should be blocking the request and not returning the 302. Additionally, IIS should definitely not be adding the bogus domain specific as the Origin into the Access-Control-Allow-Origin header.

    What am I missing here? Something critical in the configuration of the CORS module? No matter what I add in the config file, it doesn't seem to be blocking any requests.

  • Hello @Rick,

    What you sent looks like a web.config. Do you happen to have a CORS rule in the applicationHost.config that is allowing this domain such as

    <add origin="*" allowed="true" />

    ?

  • Look at the config example. It looks like in your config one line is missing:

    <configuration>
    <system.webServer>
    <cors enabled="true" failUnlistedOrigins="true">
    <add origin="https://testing.test.com" allowed="true" />
    <add origin="http://*" allowed="false" />
    </cors>
    </system.webServer>
    </configuration>

  • When I try to implement I am getting 'The element system.webserver has invalid child element 'cors' . How to fix this problem. Should I reference any dll ?



    <cors enabled="true" failUnlistedOrigins="true">

    <add origin="*" allowCredentials="true" maxAge="120">

    <allowHeaders allowAllRequestedHeaders="true" />

    </add>

    </cors>

  • HI,

    I am using IIS CORS module and facing issue for preflight request. Since credentials are not passed in this request server returns 401 Unauthorized. Is there any configuration available for this kind of issue?

Comments have been disabled for this content.