Add content about enabling CORS for SignalR without applying the policy globally.

I encountered a situation where the CORS policy used for SignalR could not be enabled as the middleware default for the entire application. Instead I needed to use a specific policy only for the requests to the SignalR hubs.

Maybe it would be helpful to add a subsection about "Cross-origin resource sharing" that describes how to branch the request pipeline in order to apply a CORS policy specifically for SignalR, which would then allow an application to use attributes to enable CORS elsewhere instead of using middleware.

public void Configure(IApplicationBuilder app)
{
    ...

    app.Map("/hubs", config =>
    {
         // Must be called before mapping SignalR hubs
         config.UseCors(builder =>
         {
             builder.WithOrigins("https://myorigin:5000")
                 .WithMethods("Get", "Post")
                 .AllowAnyHeader()
                 .AllowCredentials();
         });

         config.UseSignalR(routes =>
         {
             routes.MapHub<ChatHub>("/chat");
         });
    });
}

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 8af11946-ea05-3be2-6fa1-c4c01aa76d8c
Version Independent ID: 58e87eb0-240b-ab00-c5f4-32a0ab2e0028
Content: Security considerations in ASP.NET Core SignalR
Content Source: aspnetcore/signalr/security.md
Product: aspnet-core
Technology: aspnetcore-signalr
GitHub Login: @bradygaster
Microsoft Alias: anurse

dotnet / AspNetCore.Docs

Add content about enabling CORS for SignalR without applying the policy globally. #12918

Document Details