Cross.CORS 1.0.0

.NET 6.0 This package targets .NET 6.0. The package is compatible with this framework or higher. 
dotnet add package Cross.CORS --version 1.0.0
                    


                    

                
NuGet\Install-Package Cross.CORS -Version 1.0.0
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="Cross.CORS" Version="1.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="Cross.CORS" Version="1.0.0" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="Cross.CORS" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add Cross.CORS --version 1.0.0
                    


                    

                
#r "nuget: Cross.CORS, 1.0.0"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package Cross.CORS@1.0.0
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=Cross.CORS&version=1.0.0
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=Cross.CORS&version=1.0.0
                    


                            Install as a Cake Tool

Cross.CORS Nuget Documentation

ASP.NET Core library for configuring Cross-Origin Resource Sharing (CORS) via the [AllowCrossOriginResourceSharing] attribute and global CorsConfig configuration.

Supported frameworks: .NET 6, .NET 7, .NET 8, .NET 9, .NET 10

Install NuGet package

Install-Package Cross.CORS

or

dotnet add package Cross.CORS

Library classes

Class Description
CorsConfig CORS configuration (origins, methods, headers, credentials)
CorsOptions Options for binding from appsettings.json; use CorsOptions.ConfigSection ("Cors") for GetSection()
CorsRegistry Static class for global configuration registration
AllowCrossOriginResourceSharingAttribute Attribute for controllers and actions with support for global and local configuration

Registration and configuration

Option 1: Global configuration

Call CorsRegistry.Register() at application startup (e.g. in Program.cs or Startup):

using Cross.CORS;

var builder = WebApplication.CreateBuilder(args);

// Register global CORS configuration
CorsRegistry.Register(new CorsConfig(
    allowOrigins: "https://example.com",
    allowMethods: "GET, POST, PUT, DELETE, OPTIONS",
    allowHeaders: "Content-Type, Authorization, X-Requested-With",
    allowCredentials: true));

var app = builder.Build();
// ...

When using global configuration, the [AllowCrossOriginResourceSharing] attribute without parameters adds response headers from this configuration.

Option 2: Configuration from appsettings.json

Configuration section name: CorsOptions.ConfigSection (value: "Cors").

{
  "Cors": {
    "AllowOrigins": "https://example.com, https://trusted-app.com",
    "AllowMethods": "GET, POST, PUT, DELETE, OPTIONS",
    "AllowHeaders": "Content-Type, Authorization",
    "AllowCredentials": true
  }
}

With CorsOptions class:

var corsOptions = new CorsOptions();
builder.Configuration.GetSection(CorsOptions.ConfigSection).Bind(corsOptions);
CorsRegistry.Register(corsOptions.ToCorsConfig());

Without CorsOptions (manual):

var corsSection = builder.Configuration.GetSection(CorsOptions.ConfigSection);
CorsRegistry.Register(new CorsConfig(
    allowOrigins: corsSection["AllowOrigins"] ?? "*",
    allowMethods: corsSection["AllowMethods"] ?? "*",
    allowHeaders: corsSection["AllowHeaders"] ?? "*",
    allowCredentials: corsSection.GetValue<bool>("AllowCredentials")));

Option 3: CorsConfig default parameters

// All origins, methods, headers; no credentials
CorsRegistry.Register(new CorsConfig(
    allowOrigins: "*",
    allowMethods: "*",
    allowHeaders: "*",
    allowCredentials: false));

Usage

On controller (global configuration)

using Cross.CORS;
using Microsoft.AspNetCore.Mvc;

[ApiController]
[Route("api/[controller]")]
[AllowCrossOriginResourceSharing]  // uses CorsRegistry.Register()
public class ProductsController : ControllerBase
{
    [HttpGet]
    public IActionResult Get() => Ok(new[] { "Product1", "Product2" });
}

On specific action (local configuration)

using Cross.CORS;
using Microsoft.AspNetCore.Mvc;

[ApiController]
[Route("api/[controller]")]
public class ProductsController : ControllerBase
{
    [HttpGet]
    [AllowCrossOriginResourceSharing(
        allowOrigins: "https://example.com",
        allowMethods: "GET",
        allowHeaders: "Content-Type")]
    public IActionResult Get() => Ok(new[] { "Product1", "Product2" });

    [HttpPost]
    [AllowCrossOriginResourceSharing(
        allowOrigins: "https://trusted-app.com",
        allowMethods: "POST, OPTIONS",
        allowHeaders: "Content-Type, Authorization",
        allowCredentials: true)]
    public IActionResult Create([FromBody] Product product) => Ok(product);
}

Mixed usage

using Cross.CORS;
using Microsoft.AspNetCore.Mvc;

[ApiController]
[Route("api/[controller]")]
[AllowCrossOriginResourceSharing]  // global for all actions
public class ProductsController : ControllerBase
{
    [HttpGet]
    public IActionResult Get() => Ok();  // global configuration

    [HttpPost]
    [AllowCrossOriginResourceSharing(
        allowOrigins: "https://special-client.com",
        allowMethods: "POST",
        allowHeaders: "*",
        allowCredentials: true)]  // local overrides global
    public IActionResult Create([FromBody] Product product) => Ok(product);
}

Using with UseCors

When using the standard app.UseCors(), the [AllowCrossOriginResourceSharing] attribute adds CORS headers to the response after the action executes. This is useful for:

  • fine-grained CORS configuration on individual controllers/actions;
  • different rules for different origins on the same API;
  • cases where header control at the action filter level is needed.
// Program.cs
app.UseCors("Default");  // or another policy
app.UseAuthorization();
app.MapControllers();

Important notes

  1. Required configuration: When using the attribute without parameters, you must call CorsRegistry.Register() before handling requests. Otherwise, an InvalidOperationException will be thrown.

  2. Priority: Local configuration (via attribute parameters) takes precedence over global configuration.

  3. AllowCredentials: When allowCredentials: true, the allowOrigins value must not be * — specify a concrete origin.

  4. Order: The attribute adds headers in OnActionExecuted, so they are added to the response after the action executes.

  5. Multiple origins: The allowOrigins parameter supports multiple URLs separated by comma or space (e.g. "https://a.com, https://b.com" or "https://a.com https://b.com"). When the request includes an Origin header, the response echoes it if it matches the allowed list; otherwise the first allowed origin or * is used.

Product Compatible and additional computed target framework versions.
.NET net6.0 is compatible.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 is compatible.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

This package has no dependencies.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.0.0 38 3/7/2026

Initial version.