For any reason you wish to disable CORS for any website hosted on IIS, one way you can do this by allowing all origins. To do that,
- Make sure you installed IIS CORS Module on the server.
- Update the Web.Config of the website to have the cors section as given below,
Note: code tested on IIS 10
1<?xml version="1.0" encoding="UTF-8"?>2<configuration>3 <system.webServer>4 <cors enabled="true" failUnlistedOrigins="true">5 <add origin="*">6 <allowHeaders allowAllRequestedHeaders="true" />7 </add>8 </cors>9 </system.webServer>10</configuration>
As you can see, we are allowing all origin’s by specifying
* as the origin.
After just allowing all origins alone, if you encounter error like,
Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.
To solve that, we are setting
allowAllRequestedHeaders="true" in the
allowHeaders for all the origins.
Remember: CORS is a security feature. Disable only if the resource is totally public.