dotnet
diff --git a/‎src/Middleware/CORS/samples/SampleDestination/Program.cs‎
Lines changed: 24 additions & 2 deletions b/‎src/Middleware/CORS/samples/SampleDestination/Program.cs‎
Lines changed: 24 additions & 2 deletions
diff --git a/‎src/Middleware/CORS/samples/SampleDestination/Startup.cs‎
Lines changed: 37 additions & 34 deletions b/‎src/Middleware/CORS/samples/SampleDestination/Startup.cs‎
Lines changed: 37 additions & 34 deletions
diff --git a/‎src/Middleware/CORS/samples/SampleDestination/StartupWithoutEndpointRouting.cs‎
Lines changed: 88 additions & 0 deletions b/‎src/Middleware/CORS/samples/SampleDestination/StartupWithoutEndpointRouting.cs‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎src/Middleware/CORS/samples/SampleOrigin/Program.cs‎
Lines changed: 1 addition & 1 deletion b/‎src/Middleware/CORS/samples/SampleOrigin/Program.cs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Middleware/CORS/src/CorsPolicyMetadata.cs‎
Lines changed: 23 additions & 0 deletions b/‎src/Middleware/CORS/src/CorsPolicyMetadata.cs‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎src/Middleware/CORS/src/Infrastructure/CorsEndpointConventionBuilderExtensions.cs‎
Lines changed: 65 additions & 0 deletions b/‎src/Middleware/CORS/src/Infrastructure/CorsEndpointConventionBuilderExtensions.cs‎
Lines changed: 65 additions & 0 deletions
@@ -1,6 +1,7 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using System.IO;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Logging;
@@ -16,10 +17,31 @@ public static void Main(string[] args)
                 .UseUrls("http://+:9000")
                 .UseContentRoot(Directory.GetCurrentDirectory())
                 .ConfigureLogging(factory => factory.AddConsole())
-                .UseStartup<Startup>()
+                .UseStartup(GetStartupType())
                 .Build();
 
             host.Run();
         }
+
+        private static Type GetStartupType()
+        {
+            var startup = Environment.GetEnvironmentVariable("CORS_STARTUP");
+            if (startup == null)
+            {
+                return typeof(Startup);
+            }
+            else
+            {
+                switch (startup)
+                {
+                    case "Startup":
+                        return typeof(Startup);
+                    case "StartupWithoutEndpointRouting":
+                        return typeof(StartupWithoutEndpointRouting);
+                }
+            }
+
+            throw new InvalidOperationException("Could not resolve the startup type. Unexpected CORS_STARTUP environment variable.");
+        }
     }
 }
@@ -1,7 +1,6 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Net;
 using System.Text;
 using System.Threading.Tasks;
@@ -26,66 +25,70 @@ public Startup(ILoggerFactory loggerFactory)
 
         public void ConfigureServices(IServiceCollection services)
         {
-            services.AddCors();
-        }
-
-        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
-        {
-            app.Map("/allow-origin", innerBuilder =>
+            services.AddCors(options =>
             {
-                innerBuilder.UseCors(policy => policy
+                options.AddPolicy("AllowOrigin", policy => policy
                     .WithOrigins(DefaultAllowedOrigin)
                     .AllowAnyMethod()
                     .AllowAnyHeader());
 
-                innerBuilder.UseMiddleware<SampleMiddleware>();
-            });
-
-            app.Map("/allow-header-method", innerBuilder =>
-            {
-                innerBuilder.UseCors(policy => policy
+                options.AddPolicy("AllowHeaderMethod", policy => policy
                     .WithOrigins(DefaultAllowedOrigin)
                     .WithHeaders("X-Test", "Content-Type")
                     .WithMethods("PUT"));
 
-                innerBuilder.UseMiddleware<SampleMiddleware>();
-            });
-
-            app.Map("/allow-credentials", innerBuilder =>
-            {
-                innerBuilder.UseCors(policy => policy
+                options.AddPolicy("AllowCredentials", policy => policy
                     .WithOrigins(DefaultAllowedOrigin)
                     .AllowAnyHeader()
                     .WithMethods("GET", "PUT")
                     .AllowCredentials());
 
-                innerBuilder.UseMiddleware<SampleMiddleware>();
-            });
-
-            app.Map("/exposed-header", innerBuilder =>
-            {
-                innerBuilder.UseCors(policy => policy
+                options.AddPolicy("ExposedHeader", policy => policy
                     .WithOrigins(DefaultAllowedOrigin)
                     .WithExposedHeaders("X-AllowedHeader", "Content-Length"));
 
-                innerBuilder.UseMiddleware<SampleMiddleware>();
-            });
-
-            app.Map("/allow-all", innerBuilder =>
-            {
-                innerBuilder.UseCors(policy => policy
+                options.AddPolicy("AllowAll", policy => policy
                     .AllowAnyOrigin()
                     .AllowAnyMethod()
                     .AllowAnyHeader()
                     .AllowCredentials());
+            });
+            services.AddRouting();
+        }
 
-                innerBuilder.UseMiddleware<SampleMiddleware>();
+        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
+        {
+            app.UseRouting(routing =>
+            {
+                routing.Map("/allow-origin", HandleRequest).WithCorsPolicy("AllowOrigin");
+                routing.Map("/allow-header-method", HandleRequest).WithCorsPolicy("AllowHeaderMethod");
+                routing.Map("/allow-credentials", HandleRequest).WithCorsPolicy("AllowCredentials");
+                routing.Map("/exposed-header", HandleRequest).WithCorsPolicy("ExposedHeader");
+                routing.Map("/allow-all", HandleRequest).WithCorsPolicy("AllowAll");
             });
 
+            app.UseCors();
+
+            app.UseEndpoint();
+
             app.Run(async (context) =>
             {
                 await context.Response.WriteAsync("Hello World!");
             });
         }
+
+        private Task HandleRequest(HttpContext context)
+        {
+            var content = Encoding.UTF8.GetBytes("Hello world");
+
+            context.Response.Headers["X-AllowedHeader"] = "Test-Value";
+            context.Response.Headers["X-DisallowedHeader"] = "Test-Value";
+
+            context.Response.ContentType = "text/plain; charset=utf-8";
+            context.Response.ContentLength = content.Length;
+            context.Response.Body.Write(content, 0, content.Length);
+
+            return Task.CompletedTask;
+        }
     }
 }
@@ -0,0 +1,88 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Net;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+
+namespace SampleDestination
+{
+    public class StartupWithoutEndpointRouting
+    {
+        private static readonly string DefaultAllowedOrigin = $"http://{Dns.GetHostName()}:9001";
+        private readonly ILogger<StartupWithoutEndpointRouting> _logger;
+
+        public StartupWithoutEndpointRouting(ILoggerFactory loggerFactory)
+        {
+            _logger = loggerFactory.CreateLogger<StartupWithoutEndpointRouting>();
+            _logger.LogInformation($"Setting up CORS middleware to allow clients on {DefaultAllowedOrigin}");
+        }
+
+        public void ConfigureServices(IServiceCollection services)
+        {
+            services.AddCors();
+        }
+
+        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
+        {
+            app.Map("/allow-origin", innerBuilder =>
+            {
+                innerBuilder.UseCors(policy => policy
+                    .WithOrigins(DefaultAllowedOrigin)
+                    .AllowAnyMethod()
+                    .AllowAnyHeader());
+
+                innerBuilder.UseMiddleware<SampleMiddleware>();
+            });
+
+            app.Map("/allow-header-method", innerBuilder =>
+            {
+                innerBuilder.UseCors(policy => policy
+                    .WithOrigins(DefaultAllowedOrigin)
+                    .WithHeaders("X-Test", "Content-Type")
+                    .WithMethods("PUT"));
+
+                innerBuilder.UseMiddleware<SampleMiddleware>();
+            });
+
+            app.Map("/allow-credentials", innerBuilder =>
+            {
+                innerBuilder.UseCors(policy => policy
+                    .WithOrigins(DefaultAllowedOrigin)
+                    .AllowAnyHeader()
+                    .WithMethods("GET", "PUT")
+                    .AllowCredentials());
+
+                innerBuilder.UseMiddleware<SampleMiddleware>();
+            });
+
+            app.Map("/exposed-header", innerBuilder =>
+            {
+                innerBuilder.UseCors(policy => policy
+                    .WithOrigins(DefaultAllowedOrigin)
+                    .WithExposedHeaders("X-AllowedHeader", "Content-Length"));
+
+                innerBuilder.UseMiddleware<SampleMiddleware>();
+            });
+
+            app.Map("/allow-all", innerBuilder =>
+            {
+                innerBuilder.UseCors(policy => policy
+                    .AllowAnyOrigin()
+                    .AllowAnyMethod()
+                    .AllowAnyHeader()
+                    .AllowCredentials());
+
+                innerBuilder.UseMiddleware<SampleMiddleware>();
+            });
+
+            app.Run(async (context) =>
+            {
+                await context.Response.WriteAsync("Hello World!");
+            });
+        }
+    }
+}
@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.IO;
 
@@ -0,0 +1,23 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using Microsoft.AspNetCore.Cors.Infrastructure;
+
+namespace Microsoft.AspNetCore.Cors
+{
+    /// <summary>
+    /// Metadata that provides a CORS policy.
+    /// </summary>
+    public class CorsPolicyMetadata : ICorsPolicyMetadata
+    {
+        public CorsPolicyMetadata(CorsPolicy policy)
+        {
+            Policy = policy;
+        }
+
+        /// <summary>
+        /// The policy which needs to be applied.
+        /// </summary>
+        public CorsPolicy Policy { get; }
+    }
+}
@@ -0,0 +1,65 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.Cors;
+using Microsoft.AspNetCore.Cors.Infrastructure;
+using Microsoft.AspNetCore.Routing;
+
+namespace Microsoft.AspNetCore.Builder
+{
+    /// <summary>
+    /// CORS extension methods for <see cref="IEndpointConventionBuilder"/>.
+    /// </summary>
+    public static class CorsEndpointConventionBuilderExtensions
+    {
+        /// <summary>
+        /// Adds a CORS policy with the specified name to the endpoint(s).
+        /// </summary>
+        /// <param name="builder">The endpoint convention builder.</param>
+        /// <param name="policyName">The CORS policy name.</param>
+        /// <returns>The original convention builder parameter.</returns>
+        public static IEndpointConventionBuilder WithCorsPolicy(this IEndpointConventionBuilder builder, string policyName)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            builder.Apply(endpointBuilder =>
+            {
+                endpointBuilder.Metadata.Add(new EnableCorsAttribute(policyName));
+            });
+            return builder;
+        }
+
+        /// <summary>
+        /// Adds the specified CORS policy to the endpoint(s).
+        /// </summary>
+        /// <param name="builder">The endpoint convention builder.</param>
+        /// <param name="configurePolicy">A delegate which can use a policy builder to build a policy.</param>
+        /// <returns>The original convention builder parameter.</returns>
+        public static IEndpointConventionBuilder WithCorsPolicy(this IEndpointConventionBuilder builder, Action<CorsPolicyBuilder> configurePolicy)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            if (configurePolicy == null)
+            {
+                throw new ArgumentNullException(nameof(configurePolicy));
+            }
+
+            var policyBuilder = new CorsPolicyBuilder();
+            configurePolicy(policyBuilder);
+            var policy = policyBuilder.Build();
+
+            builder.Apply(endpointBuilder =>
+            {
+                endpointBuilder.Metadata.Add(new CorsPolicyMetadata(policy));
+            });
+            return builder;
+        }
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// Copyright (c) .NET Foundation. All rights reserved.`
	`1`	`+// Copyright (c) .NET Foundation. All rights reserved.`
`2`	`2`	`// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.`
`3`	`3`
`4`	`4`	`using System.IO;`