Aspnetcore: CORS api not sending Access-Control-Allow-Origin header

Created on 13 May 2018 · 4Comments · Source: dotnet/aspnetcore

I'm running ASP.NET Core 2.0 (.NET Standard) on an Azure Web App.

I am not using CORS middleware (i.e. no call to app.UseCors()), but I am setting up an access policy like so:

The web app runs on www.mydomain.com and CORS is set up like...

services.AddCors(options =>
                {
                    options.AddPolicy("ScormStorageCors",
                        builder => builder.AllowAnyOrigin()
                        .AllowAnyHeader()
                        .AllowAnyMethod()
                        .AllowCredentials());
                });

The controller is decorated as such:

        [EnableCors("ScormStorageCors")]      
        public async Task<IActionResult> LMSCommands(ScormCommand cmd)
        {
        }

The Ajax request is dispatched from storage.mydomain.com and looks like so:

 $.ajax({
            url: serviceURL,
            cache: false,
            type: "POST",
            crossDomain: true,
            xhrFields: { withCredentials: true },
            data: cmd,
            async: false, // cross domain requests don't support async
            error: function (xhr, textStatus, settings)
            {
                alert("Error: " + xhr.status + " " + xhr.statusText + " " + xhr.responseText);
            }
        });

This works as expected and I can also see an Access-Control-Allow-Origin header in the HTTP response to the Ajax request. Notice I'm allowing "Any Origin" in the policy definition.

If, however, I set up CORS like so:

      services.AddCors(options =>
                {
                    options.AddPolicy("ScormStorageCors",
                        builder => builder.WithOrigins(new string[] {"storage.mydomain.com"})
                        .AllowAnyHeader()
                        .AllowAnyMethod()
                        .AllowCredentials());
                });

... and I make the same Ajax call, i get a HTTP 200 AND the action executes, succeeds AND sends back a valid and complete response over the wire (verified with Fiddler), BUT it's missing the Access-Control-Allow-Origin header in the HTTP response so the browser won't accept it and the Ajax call ultimately fails.

Am I doing something wrong or is this a bug in the API? Any known workarounds? I really don't want to allow access to my endpoint from outside of my app domains.

Thanks in advance!

area-mvc

Source

SimonOrdo

Most helpful comment

I'm getting the same. When using AllowAnyOrigin, Access-Control-Allow-Origin is not set at all.

georgiosd on 26 Nov 2018

👍8 😕1

All 4 comments

Try to pass http://storage.mydomain.com or https://storage.mydomain.com as allowed origin. https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-2.0
You can also enable debug logging to see more details.

JulijaRamoskiene on 29 May 2018

Your allowed origin (As @JulijaRamoskiene already stated) must contain the http:// or https:// prefix as it compares your permitted string against the Origin header provided by the client, which always contains the URL without the URI eg. https://storage.mydomain.com

FlyingWraptor on 20 Jul 2018

Thanks for contacting us. We believe that the question you've raised have been answered. If you still feel a need to continue the discussion, feel free to reopen it and add your comments.