How to allow CORS for ASP.NET WebForms endpoint?

I am trying to add some [WebMethod] annotated endpoint functions to a Webforms style web app (.aspx and .asmx).

I’d like to annotate those endpoints with [EnableCors] and thereby get all the good ajax-preflight functionality.

VS2013 accepts the annotation, but still the endpoints don’t play nice with CORS. (They work fine when used same-origin but not cross-origin).

I can’t even get them to function cross-origin with the down and dirty

HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Origin", "*");

approach — my browsers reject the responses, and the cross-origin response headers don’t appear.

How can I get CORS functionality in these [WebMethod] endpoints?


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

I recommend double-checking you have performed all steps on this page: CORS on ASP.NET

In addition to:

Response.AppendHeader("Access-Control-Allow-Origin", "*");

Also try:

Try adding directly in web config:
       <add name="Access-Control-Allow-Methods" value="*" />
       <add name="Access-Control-Allow-Headers" value="Content-Type" />

Failing that, you need to ensure you have control over both domains.

Method 2

If you need the preflight request, e.g. so you can send authenticated requests, you are not able to set Access-Control-Allow-Origin: *. It must be a specific Origin domain.
Also you must set the Access-Control-Allow-Methods and Access-Control-Allow-Headers response headers, if you are using anything besides the defaults.
(Note these constraints are just how CORS itself works – this is how it is defined.)

So, it’s not enough to just throw on the [EnableCors] attribute, you have to set values to the parameters:

[EnableCors(origins: "", headers: "X-Custom-Header", methods: "PUT", SupportsCredentials = true)]

Or if you want to do things manually and explicitly:
HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Origin", "");
HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Headers", "X-Custom-Header");
HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Methods", "PUT");
HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Credentials", "true");

One last thing – you do have to call .EnableCors() on initiation. In e.g. MVC or WebAPI, you would call this on HttpConfiguration, when registering the config and such – however I have no idea how it works with WebForms.

Method 3

FYI, enable CORS in classic webform. In Global.asax

void Application_Start(object sender, EventArgs e)
     name: "DefaultApi",
     routeTemplate: "api/{controller}/{action}/{id}",
     defaults: new { id = System.Web.Http.RouteParameter.Optional }

Method 4

If you use the AppendHeader method to send cache-specific headers and at the same time use the cache object model (Cache) to set cache policy, HTTP response headers that pertain to caching might be deleted when the cache object model is used. This behavior enables ASP.NET to maintain the most restrictive settings. For example, consider a page that includes user controls. If those controls have conflicting cache policies, the most restrictive cache policy will be used. If one user control sets the header “Cache-Control: Public” and another user control sets the more restrictive header “Cache-Control: Private” via calls to SetCacheability, then the “Cache-Control: Private” header will be sent with the response.

You can create a httpProtocol in web config for customHeaders.

       <add name="Access-Control-Allow-Methods" values="*" />        

Method 5

For the web form, you can use

Response.AddHeader(“Access-Control-Allow-Origin”, “*”);

instead of

Response.AppendHeader(“Access-Control-Allow-Origin”, “*”);

The first one works for old version of ASP.Net Web Form.

Method 6

I think your code looks good, but IIS does not send the header entity alone with response expectedly. Please check whether IIS is configured properly.

If CORS doesn’t work for your particularity problem, maybe jsonp is another possible way.

Method 7

You can do like this in MVC

[EnableCors(origins: "*", headers: "*", methods: "*")]
public ActionResult test()
     Response.AppendHeader("Access-Control-Allow-Origin", "*");
     return View();

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x