I'm trying to get started with the Content Delivery Api, and have a question regarding CORS. I installed the CDA NuGet packages, added the initialization part in ConfigureContainer, and got the site up and running on localhost. When I try to call the api from a browser, I see from the response header, that it allows cross-site calls:
This seems to be set by the Content Delivery Api somewhere, and I'm unsure how to change this from code (I can append headers, but not modify existing).
Can this be changed somehow?
Using Content Delivery Api v. 2.17.0.
Isn't it the whole point of Content Delivery API to use Episerver as content Hub on separate WebApp and Front-end will be on different web App.
You should be able to modify the ASP.NET response headers in the AddOnSendingHeaders so in your begin reques handler you would add the AddOnSendingHeaders and in that handler you could look at the response headers and add or remove them as you see fit.
But have you tried to configure the CORS with a CORS-policy: https://docs.microsoft.com/en-us/previous-versions/aspnet/dn314684(v=vs.118)#corshttpconfigurationextensionsenablecors-method-httpconfiguration ?
@Antti: yes, I did try that, but could only add to header, not change existing.
Solution was to override GetOrCreatePolicy in EPiServer.ContentApi.Core.Security.Internal.CorsPolicyService (in a custom service), set the CORS-policy, and then re-register the service (with AddSingleton).