Free Support Forum -

Not allow Access-Control-Allow-Origin:*



we are using groupdocs web viewer v. for mvc. After a security audit they adviced us to remove the response header Access-Control-Allow-Origin:* for document-viewer pages. How do we do this?



Thank you for the request.
Access-Control-Allow-Origin is not a part of the Viewer it’s a W3C spec that allows cross-domain communication from the browser. By building on top of the XMLHttpRequest object, CORS allows developers to work with the same idioms as same-domain requests. More info about it you can find here

Best regards.


Yes, I know that, but we’re not adding it to our pages. So it must be the viewer that adds that response header to its pages. How do we remove that response header from the document-viewer pages?


Hi again,

The Viewer doesn’t add such header to it’s responses, but I can assume that you have added such module:

in to the Web.Config. Please check your Web.config for such module and remove it.

Best regards.


No, there is nothing like that. Just tested with a new mvc project (v.4.6), added the viewer (v. 2.19) from NuGet, and inspected the document-viewer/ViewDocument. Then the header was added. Inside the Web.config was nothing added:

<?xml version="1.0" encoding="utf-8"?>



Thank you for sharing the Web.Config. Could you please also share with me a screenshot of such request and headers, also share the code example which you use for the Viewer and describe your use case.

Thank you.


Use case: we want to show pdf files via a subscription, so users need to pay to view the pdf files and we don’t want them do download any files, just view them as images. That’s why we selected your tool.

But by doing a security audit they send us a couple of remarks. One of them is the allow access control header.

source code

PDF Viewer



Hi again,

Thank you for the example and screenshot. As you can see on this screenshot GroupDocs.Viewer doesn’t add such header to the request and I can’t reproduce such behavior. Since that I need full project example that I can run it on my local and check why such header added.

Thank you.


you should go to:



Hi again,

Thank you for the project example. I have checked the issue in it and unfortunately I can’t reproduce it, as you can see there is no such header added, since that I can assume that you should check your IIS configurations for the cross domain configs or check carefully your project could be you have enabled it somewhere.

Best regards.


That’s really strange, because when I run the same sample with the development server I get the extra header.

For my understanding: you did not change anything at the sample project? You also used the version 2.19 of the viewer, correct?


Seems that one difference is that you are using as server: ASP.NET development server 11.0 and I’m using IIS 10.0 (express). Not sure if that made a difference.



Yes, correct I use Viewer 2.19.0 and have changed nothing except the server. Since you have use the IIS and get such extra header it confirms that the reason of such extra header is your server configuration.

Best regards.


Ok and what if you also used IIS express? Do you get the extra header then?



At last I was able to reproduce the issue. I will share it with our Product team and they will resolve it, then I will come back to you with the details.

Sorry for the inconvenience.