EnableCors should throw an exception if the HttpConfiguration has already been locked down due to the first request. Otherwise it will insert a MessageHandler that will not be properly chained with the other handlers, silently breaking the pipeline.
We require the config to be immutable after the first request but are currently not doing much to enforce it. The Cors scenario is one where a public API can corrupt the pipeline when called at the wrong time. We should start throwing InvalidOperationException whenever we can detect these illegal mutations of the config.
We require the config to be immutable after the first request but are currently not doing much to enforce it. The Cors scenario is one where a public API can corrupt the pipeline when called at the wrong time. We should start throwing InvalidOperationException whenever we can detect these illegal mutations of the config.