MiniProfiler · pmccloghrylaing · Jul 15, 2020
diff --git a/src/MiniProfiler.AspNetCore/MiniProfilerMiddleware.cs b/src/MiniProfiler.AspNetCore/MiniProfilerMiddleware.cs
@@ -197,6 +197,12 @@ private async Task SetHeadersAndState(HttpContext context, MiniProfiler current)
                     }
                 }
 
+                // Expose X-MiniProfiler-Ids header if this is a CORS request
+                if (context.Request.Headers.ContainsKey("Origin"))
+                {
+                    context.Response.Headers.Add("Access-Control-Expose-Headers", "X-MiniProfiler-Ids");
+                }
+
                 // Set the state to use in RenderIncludes() down the pipe later
                 new RequestState { IsAuthorized = isAuthorized, RequestIDs = profilerIds }.Store(context);
             }
@@ -205,6 +211,18 @@ private async Task SetHeadersAndState(HttpContext context, MiniProfiler current)
 
         private async Task HandleRequest(HttpContext context, PathString subPath)
         {
+            // Is this a CORS request
+            if (context.Request.Headers.TryGetValue("Origin", out var originValues)
+                && originValues.Any())
+            {
+                SetCorsHeaders(context.Response, originValues);
+                if (context.Request.Method == "OPTIONS")
+                {
+                    await HandleCorsOptionsRequest(context.Response);
+                    return;
+                }
+            }
+
             context.Response.StatusCode = StatusCodes.Status200OK;
             string result = null;
 
@@ -406,5 +424,24 @@ private async Task<string> GetSingleProfilerResultAsync(HttpContext context)
                 return Render.SingleResultHtml(profiler, context.Request.PathBase + Options.RouteBasePath.Value.EnsureTrailingSlash());
             }
         }
+
+        private void SetCorsHeaders(HttpResponse response, string origin)
+        {
+            response.Headers.Add("Vary", "Origin");
+
+            if (_options.Value.CorsOrigins != null
+                && _options.Value.CorsOrigins.Contains(origin, StringComparer.OrdinalIgnoreCase))
+            {
+                response.Headers.Add("Access-Control-Allow-Origin", origin);
+            }
+        }
+
+        private async Task HandleCorsOptionsRequest(HttpResponse response)
+        {
+            response.StatusCode = 200;
+            response.Headers.Add("Access-Control-Allow-Headers", "Content-Type");
+            response.Headers.Add("Access-Control-Allow-Methods", "OPTIONS, GET");
+            await response.WriteAsync("").ConfigureAwait(false);
+        }
     }
 }
diff --git a/src/MiniProfiler.AspNetCore/MiniProfilerOptions.cs b/src/MiniProfiler.AspNetCore/MiniProfilerOptions.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using StackExchange.Profiling.Internal;
@@ -55,6 +56,11 @@ public class MiniProfilerOptions : MiniProfilerBaseOptions
         /// </summary>
         public Func<HttpRequest, string> UserIdProvider { get; set; } = request => request.HttpContext.Connection.RemoteIpAddress?.ToString();
 
+        /// <summary>
+        /// Optional list of origins allowed for CORS requests to MiniProfiler
+        /// </summary>
+        public IEnumerable<string> CorsOrigins { get; set; }
+
 #if NETCOREAPP3_0
         /// <summary>
         /// Whether to add a Server-Timing header after profiling a request. Only supported in .NET Core 3.0 and higher.