For any reason you wish to disable CORS for any website hosted on IIS, one way you can do this by allowing all origins. To do that,
- Make sure you installed IIS CORS Module on the server.
- Update the Web.Config of the website to have the cors section as given below,
Note: code tested on IIS 10
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <cors enabled="true" failUnlistedOrigins="true"> <add origin="*"> <allowHeaders allowAllRequestedHeaders="true" /> </add> </cors> </system.webServer> </configuration>
As you can see, we are allowing all origin's by specifying
* as the origin.
After just allowing all origins alone, if you encounter error like,
Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.
To solve that, we are setting
allowAllRequestedHeaders="true" in the
allowHeaders for all the origins.
Remember: CORS is a security feature. Disable only if the resource is totally public.