CORS issue with Sitefinity 9.1 No 'Access-Control-Allow

Posted by Community Admin on 04-Aug-2018 21:08

CORS issue with Sitefinity 9.1 No 'Access-Control-Allow-Origin'

All Replies

Posted by Community Admin on 26-Jul-2016 00:00

Hello everyone,

We were trying to enable CORS on our Staging server and no matter what setting we enable or tweak in our security layer it appears the CORS functionality is not working with Sitefinity although its apparently enabled. 

To ensure it was not a problem with the configuration on the Staging server, I downloaded the latest Sitefinity Empty SampleProject found here:  and I was able to reproduce the exact same problem locally.

Attached you will find two screenshots.

WebRequest with Error.png will show you the entire debug window from the developer tools from within Google Chrome.

WebService options.png shows you the options set against that specific web service and showing CORS is enabled.

Also with a direct quote from the official Sitefinity Documentation on CORS:  

"Enter *
Every request from every domain will be allowed. We do not recommend this, because there may be malicious users who would try to exploit the service. We recommend to specify only domains that are trusted."

Hopefully this can be addressed and thanks to anyone who has any information or suggestions on this issue. 

Posted by Community Admin on 01-Feb-2017 00:00

Was there any feedback at all on this?  I am having the same issue with both 9.1 and in 9.2.

Posted by Community Admin on 02-Feb-2017 00:00

Hi Kevin,

You can enable CORS for specific locations with  web.config:

<location path="api/something">
             <add name="Access-Control-Allow-Origin" value="*" />


Posted by Community Admin on 02-Feb-2017 00:00

First, thank you for the response!!!

Is the <location>  tag needed?  Not sure what that is...  also this should go in between <configuration> tags?

Posted by Community Admin on 09-Feb-2017 00:00

Hi Victor, can you confirm Kevin's reply? We just had an issue where the rocketship loaded but in watching the network trace we would get the CORS error. Manually restarting the website in IIS cleared it up.

Posted by Community Admin on 10-Apr-2017 00:00

Location tag is just limiting the rule.

If you want to apply CORS rule (Access-Control-Allow-Origin:*) for all website, you don't need to specify location tag. 

If you want to apply it only for specific URLs, you need to specify location.

You can check details in msdn:

This thread is closed