Breaking the single-domain rule with your ASP.NET web applications and Web API calls

When the first web APIs and dynamic JavaScript code calls (think AJAX) over the Internet started to emerge, browser vendors were quick to add the so called single-domain policy to such calls for security reasons. With this policy in place, you cannot use for instance AJAX calls from a web application in domain A to a web API endpoint in domain B.

However, as web applications grow more complex and the usefulness of web applications can be greatly enhanced by allowing mashup data, a new standard called Cross-Origin Resource Sharing is starting to take shape. This standard, simply referred often as CORS, allows a web application to use HTTP headers to specify from which domain(s) it can be called from. This is done using the Access-Control-Allow-Origin header.

Now, you can easily add this header to your ASP.NET and MVC web applications manually. However, a recent update to the ASP.NET web stack also allows you to support CORS automatically in your Web API implementations. This is supported from the ASP.NET 2012.2 update onwards. This update was announced in February this year.

Tip: there's a nice .NET test client available for testing Web API calls. It installs as a NuGet package and works as a simple browser-based application.