Update troubleshoot-cross-origin-resource-sharing-issues.md

Author: Celiazhou1

support/entra/entra-id/app-integration/troubleshoot-cross-origin-resource-sharing-issues.md

@@ -1,8 +1,8 @@
 ---
-title: Troubleshoot Cross-Origin Resource Sharing issues
+title: Troubleshoot Cross-Origin Resource Sharing Issues
 description: Helps you troubleshoot and resolve Cross-Origin Resource Sharing issues when using Microsoft Entra ID.
 ms.service: entra-id
-ms.date: 07/04/2025
+ms.date: 07/07/2025
 ms.reviewer: willfid, v-weizhu
 ms.custom: sap:Developing or Registering apps with Microsoft identity platform
 ---
@@ -12,7 +12,7 @@ This article provides guidance on troubleshooting and resolving Cross-Origin Res
 
 ## Understanding CORS
 
-[Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/docs/Web/HTTP/Guides/CORS) is an [HTTP](https://developer.mozilla.org/docs/Glossary/HTTP)-header-based mechanism that allows a server to specify [origins](https://developer.mozilla.org/docs/Glossary/Origin)(domains, schemes, ports) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check whether the server permits the actual request. During this preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.
+[Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/docs/Web/HTTP/Guides/CORS) is an [HTTP](https://developer.mozilla.org/docs/Glossary/HTTP)-header-based mechanism that allows a server to specify [origins](https://developer.mozilla.org/docs/Glossary/Origin)(domains, schemes, ports) other than its own from which a browser should permit loading resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check whether the server permits the actual request. During this preflight, the browser sends headers that indicate the HTTP method and headers that are used in the actual request.
 
 For detailed information about CORS headers, refer to [CORS headers](https://developer.mozilla.org/docs/Glossary/CORS).
 
@@ -41,7 +41,7 @@ While developing an application, you might encounter the following CORS-related
 > [!NOTE]
 >
 > - These errors are generated by Microsoft Entra ID. Request URLs in these errors often begin with `https://login.microsoftonline.com` or `https://<your-domain>.b2clogin.com`. The latter typically points to an Azure Active Directory B2C scenario.
-> - If the error doesn't originate from Microsoft Entra ID, it looks like "Access to XMLHttpRequest at `https://app.contoso.com`." This article doesn't provide guidance for resolving external CORS issues. In such cases, you need to configure CORS in that environment.
+> - If the error doesn't originate from Microsoft Entra ID, it looks like "Access to XMLHttpRequest at `https://app.contoso.com`." This article doesn't provide guidance on resolving external CORS issues. In such cases, you need to configure CORS in that environment.
 
 ## Cause
 
@@ -91,15 +91,15 @@ You can notice that the request contains an `Origin` header, but no `Access-Cont
 
 ## General solution
 
-Implement your application architecture to follow the OAuth2 and OIDC standards. This solution can ensure your front-end application acquires an access token and includes it in the `Authorization` header to the API you're making your `XMLHttpRequest` to. Here are some [single-page application samples](/entra/identity-platform/sample-v2-code?tabs=apptype).
+Implement your application architecture to follow the OAuth2 and OIDC standards. This solution can ensure your front-end application acquires an access token and includes it in the `Authorization` header of the request when you make your `XMLHttpRequest` to the API. Here are some [single-page application samples](/entra/identity-platform/sample-v2-code?tabs=apptype).
 
 ## Scenario-based solutions
 
 Here are the most common scenarios. Not every scenario is listed in this article as every environment and app architecture is different.
 
 ### Scenario 1: Web app and Web API using authentication cookies
 
-If your web app or framework makes `XMLHttpRequest` calls to its API endpoint and use the Web Apps authentication cookies, examine the `XMLHttpRequest` request in the Fiddler capture. It might look like this:
+If your web app or framework makes `XMLHttpRequest` calls to its API endpoint and uses the Web Apps authentication cookies, examine the `XMLHttpRequest` request in the Fiddler capture. It might look like this:
 
 ```http
 GET https://app.domain.com/… HTTP/1.1
@@ -133,7 +133,7 @@ If you use ASP.NET or ASP.NET Core, configure Microsoft Entra ID to avoid using
 }
 ```
 
-Then, implement extra `XMLHttpRequest` logic to check if the request is complete and it's a redirect or a 401 error. You must do this to tell the client to have the user sign-in again. In most cases, refreshing the page allows the user reauthenticate. Here's a code exmaple:
+Then, implement extra `XMLHttpRequest` logic to check if the request is complete and it's a redirect or a 401 error. You must perform the action to tell the client to have the user sign-in again. In most cases, refreshing the page allows the user to reauthenticate. Here's a code exmaple:
 
 ```http
     client.onreadystatechange = () => {
@@ -170,11 +170,11 @@ To resolve the issue in this scenario, use one of the following methods:
 
 #### Method 1: Send a valid token
 
-If you're passing an access token to your API resource, ensure the token is valid. Check if the token is expired. If it is, request a new access token. If you're using Microsoft Authentication Library for JavaScript (MSAL.js), use `acquireTokenSilent` every time to acquire a new token before passing it to your API. Don't cache this token yourself. Always use `acquireTokenSilent` to get the cached token directly from MSAL.
+If you pass an access token to your API resource, ensure the token is valid. Check if the token is expired. If it is, request a new access token. If you use Microsoft Authentication Library for JavaScript (MSAL.js), use `acquireTokenSilent` every time to acquire a new token before passing it to your API. Don't cache this token yourself. Always use `acquireTokenSilent` to get the cached token directly from MSAL.
 
 For more information, see [Single-page application: Acquire a token to call an API](/entra/identity-platform/scenario-spa-acquire-token).
 
-Here's is an example of how it looks when passing a token to an API: [Single-page application: Call a web API](/entra/identity-platform/scenario-spa-call-api)
+Here's is an example of how it looks when passing a token to an API: [Single-page application: Call a web API](/entra/identity-platform/scenario-spa-call-api).
 
 #### Method 2: Use JWT bearer authentication
 
@@ -218,7 +218,7 @@ Based on OAuth2 specs and Security best practices, don't use the following flows
 - Resource Owner Password Credential (ROPC)
 - Confidential Client flows, such as Client Credentials or On-behalf-of flows
 
-All other flows won't be supported in Single Page Applications. Microsoft Entra ID and B2C won't add the CORS headers for the unsupported flows.
+All other flows aren't supported in Single Page Applications. Microsoft Entra ID and B2C don't add the CORS headers for the unsupported flows.
 
 ### Scenario 6: Using Microsoft Entra Application Proxy
 
@@ -227,7 +227,7 @@ If your app uses Microsoft Entra Application Proxy, see [Understand complex appl
 ## References
 
 - [Enable Cross-Origin Requests (CORS) in ASP.NET Core](/aspnet/core/security/cors)
-- [Enabling Cross-Origin Requests in ASP.NET Web API 2](/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api)
+- [Enable Cross-Origin Requests in ASP.NET Web API 2](/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api)
 - [Azure App Service REST API tutorial](/azure/app-service/app-service-web-tutorial-rest-api)
 - [Azure API Management CORS policy](/azure/api-management/cors-policy)