I'd like to enable CORS on an API built with ASP.NET Core MVC, but all the current documents refer to earlier versions of that framework.

The notes on the new Cors features are very light, but I was able to get it working in my solution by looking at the new classes and methods. My Web API startup.cs looks like this. You can see how you can construct your origins and policies her by using the new CorsPolicy class. And enabling CORS with the AddCors and UseCors methods.

 public void ConfigureServices(IServiceCollection services)
 {
     services.AddMvc();
     //Add Cors support to the service
     services.AddCors();

     var policy = new Microsoft.AspNet.Cors.Core.CorsPolicy();

     policy.Headers.Add("*");    
     policy.Methods.Add("*");          
     policy.Origins.Add("*");
     policy.SupportsCredentials = true;

     services.ConfigureCors(x=>x.AddPolicy("mypolicy", policy));

 }


 public void Configure(IApplicationBuilder app, IHostingEnvironment  env)
 {
     // Configure the HTTP request pipeline.

     app.UseStaticFiles();
     //Use the new policy globally
     app.UseCors("mypolicy");
     // Add MVC to the request pipeline.
     app.UseMvc();
 }

You can also reference the policy in the controllers with the new attributes like so

[EnableCors("mypolicy")]
[Route("api/[controller]")]  

I got it working using the following code:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();
    services.AddCors(options => options.AddPolicy("AllowAll", p => p.AllowAnyOrigin()));
}

You can chain AllowAnyHeader() and/or AllowAnyMethod() to the configure action if needed.

To configure it for the complete app:

public void Configure(IApplicationBuilder app)
{
    app.UseCors("AllowAll");
}

Or just for a controller:

[EnableCors("AllowAll")]
public class HomeController : Controller
{
   // ...
}

--

Update: configuring CORS for all requests can be done a bit easier:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();
    services.AddCors();
}

public void Configure(IApplicationBuilder app)
{
    app.UseCors(builder =>
    {
        builder.WithOrigins("http://some.origin.com")
               .WithMethods("GET", "POST")
               .AllowAnyHeader();
    });
}

For more information, refer to the docs.

In the most recent RC2 of ASP.NET Core.

The NuGet packages are

"Microsoft.AspNetCore.Owin": "1.0.0-rc2-final",
"Microsoft.AspNetCore.Cors": "1.0.0-rc2-final",

In Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    // Add framework services.
    services.AddCors();
    services.AddMvc();
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    loggerFactory.AddConsole(Configuration.GetSection("Logging"));
    loggerFactory.AddDebug();

    app.UseCors(builder =>  builder
    .AllowAnyOrigin());
    app.UseMvc();
}

Support for CORS is currently in development. Following issue is tracking that: https://github.com/aspnet/Mvc/issues/498

Update (3/28/2015):
This feature has been checked in and should be available in the next release.

cs1929 the method services.ConfigureCors(...) does no more exist. It is combined to AddCors:

services.AddCors(options => 
    options.AddPolicy("AllowAllOrigins", builder => builder.AllowAnyOrigin()));

Install : Microsoft.AspNetCore.Cors

In Configure method:

        app.UseCors(builder =>
                builder.WithOrigins("http://some.origin.com"));