HOTSPOT
You store JSON data in a blob by using the Azure Blob service. Web applications access the JSON data by using
client-side JavaScript calls.
JSON data is stored in a container that is configured to allow anonymous access. Web applications that are
allowed to make updates to the data have access to any necessary shared access signatures (SASs) and storage
keys.
You configure one Cross-Origin Resource Sharing (CORS) rule for the https://fabrikam.com domain and then
run the following method. Line numbers are provided for reference only.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Answer: 
No
No
Yes
Agreed
No…Rules were added and not replaced.
No… HEAD operation was not added
Yes… partners can use Get because Get can come from any origin “*”
Researched this question in depth. Believe that answer to number 1 is ‘No’. It IS still in effect as in line 3 we retrieve the existing ServiceProperties from the blob, we add two additional rules to the reference for the ServiceProperties and we add the reference back to blob on 16.
Think the 3rd answer is No.
If the incoming request (for Contoso) matches a rule in its origin domain and its method, that rule is selected to process the request and no further rules are evaluated. Therefore, Contoso executes the second rule, which allows only PSOT and PUT and drops out at that point. It never gets to the next rule. Thoughts?
The answer to the third question is Yes.
The request is matched against the origin and method of each rule and will move on until a fitting one has been found. And the only fitting one is the second rule allowing the access.
This behavior is described here: https://msdn.microsoft.com/en-us/library/azure/dn535601.aspx
can anyone confirm the correct answer?
No. Rule is added. No clear, no delete.
No.
Yes.
1.First, the origin domain of the request is checked against the domains listed for the AllowedOrigins element. If the origin domain is included in the list, or all domains are allowed with the wildcard character ‘*’, then rules evaluation proceeds. If the origin domain is not included, then the request fails.
2.Next, the method (or HTTP verb) of the request is checked against the methods listed in the AllowedMethods element. If the method is included in the list, then rules evaluation proceeds; if not, then the request fails.
“GET” is not included in the list, so the evaluation proceeds and it gets success after evaluation of “*” domain.
No. Rule is added. No clear, no delete.
No.
Yes.
This answer is incorrect.
CORS rules are evaluated in the order they are defined.
The 1st rule that meets the pre-flight requests origin and method is applied
1st Answer: Should be No
Defining new rules doesnt invalidate previous rules
2nd Answer: Should be No
HEAD method is not allowed in eithe rule
3rd Answer: Should be Yes
Since GET is not part of the AllowedMethods in the first rule, it is not applied. Teh 2nd rule allow any GET request from any origin so the CORS request would succeed
https://docs.microsoft.com/en-us/rest/api/storageservices/Cross-Origin-Resource-Sharing–CORS–Support-for-the-Azure-Storage-Services?redirectedfrom=MSDN
3rd Answer : Should be No
Since the rules are processed in the order they are present in the request body, best practices recommend that you specify the most restrictive rules with respect to origins first in the list, so that these are evaluated first. Specify rules that are less restrictive – for example, a rule to allow all origins – at the end of the list.