ASP.NET Core CORS combining policies; enablecors in controller vs midleware configuration

this will help To set a default CORS policy use app.UseCors(string policyName) overload.
Your CORS requests will be failing because you are rejecting all headers and methods. From what I read, the CORS specification states that you shouldn't set any headers at all if any of the checks fail. See implementation here, this is most likely why your client will be receiving the standard No 'Access-Control-Allow-Origin' header is present error, as no headers are added at all, even though the Origin check passes.

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddPolicy("Example",
            builder => builder.WithOrigins("http://www.example.com")
                                .AllowAnyHeader()
                                .AllowAnyMethod());
        options.AddPolicy("AllowAll",
            builder => builder.AllowAnyOrigin()
                                .AllowAnyHeader()
                                .AllowAnyMethod());
    });

    services.AddMvc();
    //other configure stuff
}


public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.UseCors("AllowAll"); //Default

    app.UseMvcWithDefaultRoute();
}

may help you . Both your methods add * as origin, but builder.AllowAnyOrigin() also clear all other registered origins inside builder, so it is better to use it.
From the source code:

public CorsPolicyBuilder WithOrigins(params string[] origins)
{
     foreach (var req in origins)
     {
        _policy.Origins.Add(req);
     }

     return this;
}

public CorsPolicyBuilder AllowAnyOrigin()
{
     _policy.Origins.Clear();
     _policy.Origins.Add(CorsConstants.AnyOrigin);
     // `CorsConstants.AnyOrigin` conts has `*` as value
     return this;
}

may help you . I found the problem and it was a really weird one. I was reading an older blog which talked about CORS and ASP.NET Core. Then I stumbled upon this comment which said that the solution worked for Kestrel, but not for IIS Express. So I changed my build configuration to not use IIS Express and it now works flawlessly for both browsers. If you want this to work for IIS Express, then you don't edit your Startup.cs, but you edit your application.config file which probably is located in your project root folder.

To fix the issue you can do Unsure if anything changed in Core 3.0, but in 2.2 I would solve it like this: add this to ConfigureServices

services.AddCors(options =>
        {
            options.AddPolicy("CorsPolicy",
                builder => builder.AllowAnyOrigin()
                .AllowAnyMethod()
                .AllowAnyHeader());
        });

app.UseCors("CorsPolicy");

Hope that helps To access MyController , it should match both policies : the DefaultPolicy from RequireAuthorization and the custom Full policy . In addition , the DefaultPolicy could be updated by providing a policy to the UseAuthorization middleware :

services.AddAuthorization(options =>
{
    options.DefaultPolicy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .RequireClaim("claimName")
        .Build();
});