Home Ask Login Register

Developers Planet

Your answer is one click away!

Luke Puplett February 2016

Microsoft.Owin.Cors doesn't return `Access-Control-Expose-Headers`

Many blog postings out on the web today say that with a WebAPI 2.0 project and OWIN, enabling CORS is easy.


However, I've never seen an Access-Control-Expose-Headers returned from my API, either in a response to a GET or an OPTIONS preflight.

I've altered my UseCors setup code to explicitly set a list of header names to expose in the CORS policy.

I haven't the CORS knowledge to assert that Microsoft.Owin.Cors package is broken, though I have a hunch that it is and that blogger's are only testing primitive APIs.


Luke Puplett February 2016

Armed with information from another question on here, I think the library is broken in respect to the CORS specification.

CORS - When to return `Access-Control-Expose-Headers`

I'll switch to using the System.Web.Http.Cors package that @Thomas mentions in his comment above.

Post Status

Asked in February 2016
Viewed 3,824 times
Voted 13
Answered 1 times


Leave an answer

Quote of the day: live life