Skip to content

CORS: Incorrect Status Code for OPTIONS endpoint #36592

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tdykstra merged 4 commits into from
May 12, 2026
Merged

CORS: Incorrect Status Code for OPTIONS endpoint #36592

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c2eb641
Initial plan
Copilot Jan 8, 2026
556bccc
Update CORS response status from 200 to 204
tdykstra May 12, 2026
ee3707e
Change CORS documentation date to 05/12/2026
tdykstra May 12, 2026
6738199
Potential fix for pull request finding
tdykstra May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions aspnetcore/security/cors.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ author: tdykstra
description: Learn how CORS as a standard for allowing or rejecting cross-origin requests in an ASP.NET Core app.
ms.author: tdykstra
ms.custom: mvc
ms.date: 11/10/2025
ms.date: 05/12/2026
uid: security/cors
---
# Enable Cross-Origin Requests (CORS) in ASP.NET Core
Expand Down Expand Up @@ -247,7 +247,7 @@ CORS Middleware declines a preflight request with the following request header b
Access-Control-Request-Headers: Cache-Control, Content-Language
```

The app returns a *200 OK* response but doesn't send the CORS headers back. Therefore, the browser doesn't attempt the cross-origin request.
The app returns a `204 No Content` response but doesn't send the CORS headers back. Therefore, the browser doesn't attempt the cross-origin request.

### Set the exposed response headers

Expand Down Expand Up @@ -364,7 +364,7 @@ The preflight request uses the [HTTP OPTIONS](https://developer.mozilla.org/docs
* [Access-Control-Request-Method](https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Request-Method): The HTTP method that will be used for the actual request.
* [Access-Control-Request-Headers](https://developer.mozilla.org/docs/Web/HTTP/Headers/Access-Control-Allow-Headers): A list of request headers that the app sets on the actual request. As stated earlier, this doesn't include headers that the browser sets, such as `User-Agent`.

If the preflight request is denied, the app returns a `200 OK` response but doesn't set the CORS headers. Therefore, the browser doesn't attempt the cross-origin request. For an example of a denied preflight request, see the [Test CORS](#testc6) section of this document.
If the preflight request is denied, the app returns a `204 No Content` response but doesn't set the CORS headers. Therefore, the browser doesn't attempt the cross-origin request. For an example of a denied preflight request, see the [Test CORS](#testc6) section of this document.
Copy link
Copy Markdown
Contributor

@wadepickett wadepickett May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tdykstra , Line 250 uses an astrisk around the reponse and this ilne 367 uses backticks around the "returns a 204 No Content response". Should both cases use backticks?


Using the F12 tools, the console app shows an error similar to one of the following, depending on the browser:

Expand Down
Loading