Skip to content

Commit 581c88a

Browse files
CopilottdykstraCopilot
authored
CORS: Incorrect Status Code for OPTIONS endpoint (#36592)
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Tom Dykstra <tdykstra@microsoft.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
1 parent fb9fb82 commit 581c88a

1 file changed

Lines changed: 3 additions & 3 deletions

File tree

aspnetcore/security/cors.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ author: tdykstra
55
description: Learn how CORS as a standard for allowing or rejecting cross-origin requests in an ASP.NET Core app.
66
ms.author: tdykstra
77
ms.custom: mvc
8-
ms.date: 11/10/2025
8+
ms.date: 05/12/2026
99
uid: security/cors
1010
---
1111
# Enable Cross-Origin Requests (CORS) in ASP.NET Core
@@ -247,7 +247,7 @@ CORS Middleware declines a preflight request with the following request header b
247247
Access-Control-Request-Headers: Cache-Control, Content-Language
248248
```
249249

250-
The app returns a *200 OK* response but doesn't send the CORS headers back. Therefore, the browser doesn't attempt the cross-origin request.
250+
The app returns a `204 No Content` response but doesn't send the CORS headers back. Therefore, the browser doesn't attempt the cross-origin request.
251251

252252
### Set the exposed response headers
253253

@@ -364,7 +364,7 @@ The preflight request uses the [HTTP OPTIONS](https://developer.mozilla.org/docs
364364
* [Access-Control-Request-Method](https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Request-Method): The HTTP method that will be used for the actual request.
365365
* [Access-Control-Request-Headers](https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Allow-Headers): A list of request headers that the app sets on the actual request. As stated earlier, this doesn't include headers that the browser sets, such as `User-Agent`.
366366

367-
If the preflight request is denied, the app returns a `200 OK` response but doesn't set the CORS headers. Therefore, the browser doesn't attempt the cross-origin request. For an example of a denied preflight request, see the [Test CORS](#testc6) section of this document.
367+
If the preflight request is denied, the app returns a `204 No Content` response but doesn't set the CORS headers. Therefore, the browser doesn't attempt the cross-origin request. For an example of a denied preflight request, see the [Test CORS](#testc6) section of this document.
368368

369369
Using the F12 tools, the console app shows an error similar to one of the following, depending on the browser:
370370

0 commit comments

Comments
 (0)