Aspnetcore: CORS issue with latest SignalR with CORS and MVC with default routes

@sebastienricher what version of ASP.NET Core \ SignalR are you on? Browsers normalize the Origin header when making a preflight request. This means the Origin header would appear as http://productionsite.com (note the casing) and the CORS middleware will ignore the request. We tweaked some of this in 2.2, so the version would affect further investigation.

Hi @pranavkm, I'm on AspNetCore v2.0.1 / MVC v2.0.0,

I've updated everything to the latest (core v2.1.6 and mvc v2.1.3) and I still get the same behavior.

And SignalR is on 1.0.4

@sebastienricher the change is in the 2.2. release which hasn't been released as yet. Regardless, could you change the log level in your application to the most verbose level and see what the CORS middleware has to say? Usually it'll indicate why it decided to not provide a CORS response.

@pranavkm Where can I set this configuration, I tried changing the log level for my application but I don't see any logs about CORS replies. I ran with "Verbose" and "Debug" as LogLevel.

I'm currently running this locally so my Angular client is on http://localhost:4200 and my server application is on http://some-url/ using a local DNS entry. Note that I do have a dash in the url.

I know the "order" of things is important, I'm currently setup as CORS --> SignalR --> MVC. I did try to switch things around CORS --> MVC --> SignalR but it did not help the situation.

Edit: I tried running with the v2.2.0-preview3-35497 version just in case, did not work.

https://docs.microsoft.com/en-us/aspnet/core/fundamentals/logging/?view=aspnetcore-2.2#default-minimum-level
Is it possible to capture a fiddler trace? Or browser network trace? https://github.com/aspnet/SignalR/wiki/Diagnostics-Guide#network-traces

Also, try 2.2.0-rtm-35688 version of CORS as some of the preview3 builds had a bug.

The order shouldn't matter as long as the CORS middleware appears first. When I run the server with logging enabled, here's a snippet of what I see:

info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[5]
      CORS policy execution failed.
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[6]
      Request origin http://localhost:9001 does not have permission to access the resource.

Do none of these appear in your server logs?

Hi. We're closing this issue as no response or updates have been provided in a timely manner and we have been unable to reproduce it. If you have more details and are encountering this issue please add a new reply and re-open the issue.

Hi folks,

Sorry for the delayed response, had other work priorities. Got some time this morning (just as the issue was being closed haha), here is a Fiddler log for the "MainHub" endpoint for SignalR. I'm not too familiar with Fiddler to don't hesitate to ask for specifics.

Request headers:

OPTIONS /v1/XYZ/MainHub/negotiate HTTP/1.1
Host: lb-services
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://localhost:4200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
DNT: 1
Access-Control-Request-Headers: x-requested-with
Accept: /
Accept-Encoding: gzip, deflate
Accept-Language: en-CA,en;q=0.9,fr;q=0.8

As opposed to a working "non-sockets" call:

GET /v1/XYZ/api/core/GetAllCounterparties HTTP/1.1
Host: lb-services
Connection: keep-alive
Accept: application/json, text/plain, /
Origin: http://localhost:4200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
DNT: 1
Referer: http://localhost:4200/borrows
Accept-Encoding: gzip, deflate
Accept-Language: en-CA,en;q=0.9,fr;q=0.8

And for the response headers:

HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/10.0
Public: OPTIONS, TRACE, GET, HEAD, POST
X-Powered-By: ASP.NET
Date: Mon, 03 Dec 2018 20:53:53 GMT
Content-Length: 0

As opposed to a working "non-sockets" call:

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
Vary: Origin
Server: Microsoft-HTTPAPI/2.0
Access-Control-Allow-Origin: http://localhost:4200
Access-Control-Allow-Credentials: true
Date: Mon, 03 Dec 2018 20:53:54 GMT

Otherwise I'm still working on getting more log details, I got the log level to be very detailed, example:

{"Timestamp":"2018-12-03T15:50:31.8513011-05:00","Level":"Information","MessageTemplate":"CORS policy execution successful.","RenderedMessage":"CORS policy execution successful.","Properties":{"EventId":{"Id":4},"SourceContext":"Microsoft.AspNetCore.Cors.Infrastructure.CorsService","RequestId":"XXXXXX","RequestPath":"/borrow/GetDirections","CorrelationId":null}}

But I cannot find any logs for my MainHub SignalR endpoint. Still working on that but wanted to provide more details.

I'll also update to the suggested version, will post updates soon.

(Also, I'm looking for that re-open button?)

https://docs.microsoft.com/en-us/aspnet/core/fundamentals/logging/?view=aspnetcore-2.2#default-minimum-level
Is it possible to capture a fiddler trace? Or browser network trace? https://github.com/aspnet/SignalR/wiki/Diagnostics-Guide#network-traces

Also, try 2.2.0-rtm-35688 version of CORS as some of the preview3 builds had a bug.

How can I set my project to 2.2.0-rtm-35688? I'm on 2.2.0-preview3-35497 (Latest prerelease) and I'm not sure how to set the version higher than that? Thanks!

--> Update: On tried 2.2.0-rtm-35688, setting this in my .csproj file. Ran the solution, got the same behavior in terms of the SignalR connection failing with the CORS message. Still working on getting Hubs in the logs.

@pranavkm when you have some time, could you take a look please?

@pranavkm can you take a peek at this? Thanks!

Any update to fix this problem?

A complete nightmare. The equivalent project in ASP.NET Core 2.1 works perfect. In 2.2:

_Response to preflight request doesn't pass access control check:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

Is there a way to solve without having to use hard code? Like

services.AddCors(options => { options.AddPolicy(allowSpecificOrigins, builder => { builder.WithOrigins("http://localhost:50768") .AllowAnyHeader() .AllowAnyMethod() .AllowCredentials(); });
In other words.
What happens if I know the destination (client ip) after publishing the application ?, that is, could I add a WithOrigin dynamically? –

Hei, guys! Anybody found a solution to this problem? Or shall I just revert the project to .NET Core 2.1?

You could specify the origin in your WithOrigin call. The changes from 2.1 to 2.2 were, essentially, to comply with details in the CORS specification, which make your apps more secure. Apologies to @harveytriana for this causing additional complexity.

Hi @bradygaster, not sure why this has become close as my original issue is still not solved. I've not tackled this issue recently since other work priorities. But I intend to try again with 2.2. Has no one tried to reproduce this?

It isn't something we need to try, it's that the CORS middleware evolved from 2.1 to 2.2, becoming more secure yet also more restrictive in usage. You'd can't have, effectively, "allow everything," so we'll need to triage and get you guidance if specifying an origin is too restrictive.

@bradygaster I'm looking back at my initial post, my CORS policy is:

corsBuilder.WithOrigins(new[] { "http://localhost:4200",
"http://productionSite.com" }); // for a specific url. Don't add a forward slash on the end!
corsBuilder.AllowAnyHeader();
corsBuilder.AllowCredentials();
corsBuilder.AllowAnyMethod();

So I am not allowing any origin, but rather setting my dev and production urls. Is there an adjustment to that configuration that is needed?

Thanks for the help!

What you have here mirrors a the settings for a demo project on which I'm working ATM. The code for that is below, and for that site, SignalR and REST APIs both work from clients in the origin list.

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddPolicy(_corsPolicyName,
        builder =>
        {
            builder.WithOrigins(
                    "https://localhost:5001", 
                    "https://localhost:4001",
                    "https://localhost:44307",
                    "https://localhost:44394"
                )
                .AllowAnyHeader()
                .AllowAnyMethod()
                .AllowCredentials();
        });
    });

    services.AddSignalR();
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseCors(_corsPolicyName);
    app.UseRouting();
    app.UseDefaultFiles();
    app.UseStaticFiles();
}

And are you using "UseMvcWithDefaultRoute" ?

How to fix this problem? AllowCredentials didn't help

In my case adding allow credentials AllowCredentials did the trick.

ConfigureServices

services.AddCors(o => o.AddPolicy("CorsPolicy", builder => {
                builder
                .AllowAnyMethod()
                .AllowAnyHeader()
                .AllowCredentials()
                .WithOrigins("http://localhost:4200");
            }));

services.AddSignalR();
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);

Configure

if (env.IsDevelopment())
{
    app.UseDeveloperExceptionPage();
}

app.UseCors("CorsPolicy");
app.UseSignalR(routes =>
{
    routes.MapHub<NotifyHub>("/notify");
});

app.UseMvc();

Hi,
I'm experiencing the same problem and this is my startup.cs code:

under ConfigureServices()

    services.AddCors(options =>
            {
                options.AddPolicy("AllowAll",
                    builder =>
                    {
                        builder
                        .AllowAnyOrigin()
                        .AllowAnyMethod()
                        .AllowAnyHeader()
                        .AllowCredentials();
                    });
            });
            services.AddSignalR();

Configure

          app.UseCors("CorsPolicy");
            app.UseSignalR(routes =>
            {

                routes.MapHub<StronglyTypedScaleHub>("/hubpages/strongscalehub");
                routes.MapHub<HubLibrary.Hubs.ScaleHub>("/ScaleHub");
            });

            app.UseMvcWithDefaultRoute();

Is the issue because I didn't provide specific origins?

Edit; I have also tried specifying the origin and I still get the same error

            services.AddCors(options =>
            {
                options.AddPolicy("LocalPolicy",
                    builder =>
                    {
                        builder
                        .WithOrigins("http://localhost:53465")
                        .AllowAnyMethod()
                        .AllowAnyHeader()
                        .AllowCredentials();
                    });
            });

The error:

_Response to preflight request doesn't pass access control check:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

And on Edge Browser

HTTP405: BAD METHOD - The HTTP verb used is not supported.
(XHR)OPTIONS - http://localhost:54325/ScaleHub/negotiate

Yes, you should explicitly add the list of allowed origins, * is no longer acceptable.

Yes, you should explicitly add the list of allowed origins, * is no longer acceptable.

@shahabganji , I have tried that and I still get the error. Am I implementing it wrongly?
Ahh, just realised I mispelled the policy! So sorry!

The name of policy in your app.UseCores do not Mach the name of the policy you have defined, in this case “AllowAll”

On Jun 15, 2019, at 17:51, captmomo notifications@github.com wrote:

Yes, you should explicitly add the list of allowed origins, * is no longer acceptable.
@shahabganji , I have tried that and I still get the error. Am I implementing it wrongly?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

Thank you Saeed!
Yes I realised that. Using the right name and specifying the origin address
in the CORS policy rectified the error.
Thanks again.

On Sat, 15 Jun 2019 at 9:35 PM, Saeed Ganji notifications@github.com
wrote:

The name of policy in your app.UseCores do not Mach the name of the policy
you have defined, in this case “AllowAll”

On Jun 15, 2019, at 17:51, captmomo notifications@github.com wrote:

Yes, you should explicitly add the list of allowed origins, * is no
longer acceptable.
@shahabganji , I have tried that and I still get the error. Am I
implementing it wrongly?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/aspnet/AspNetCore/issues/5385?email_source=notifications&email_token=AGDEEVS3GD5AZHWBO3DBIM3P2TV2XA5CNFSM4GK33FGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXYYJVY#issuecomment-502367447,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AGDEEVUJPL5DSNQ274RLDBTP2TV2XANCNFSM4GK33FGA
.

@sebastienricher did your original issue get resolved?

I'm unfortunately busy with other parts of the project, but I do intend to
revisit, as I will need to tackle this sooner or later, from what I read
here, I'm thinking this should work. I'll head back into this probably in
august after vacations.

On Wed, Jul 3, 2019 at 1:07 PM Artak notifications@github.com wrote:

@sebastienricher https://github.com/sebastienricher did your original
issue got resolved?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/aspnet/AspNetCore/issues/5385?email_source=notifications&email_token=ABOQZEXDPRLTXLO6LUL2F5TP5TMDJA5CNFSM4GK33FGKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZFC2JY#issuecomment-508177703,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABOQZEVG26GTKKUIZHL562TP5TMDJANCNFSM4GK33FGA
.

--

Sébastien Richer

Mobile : 514-296-0130

I'm having the same issue with ASP.NET Core 3 Preview 8 and "@microsoft/signalr": "^3.0.0-preview8.19405.7",

Access to XMLHttpRequest at 'http://10.10.10.10/myhub/negotiate' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

        public void ConfigureServices(IServiceCollection services)
        {
            // ********************
            // Setup CORS
            // ********************
            services.AddCors(options =>
            {
                options.AddPolicy(_corsPolicyName, builder => builder
                    .WithOrigins(
                        "http://localhost:8080",
                        "https://localhost:8080",
                        "http://localhost:4200",
                        "https://localhost:4200")
                    .AllowAnyMethod()
                    .AllowAnyHeader());
            });

            services.AddControllers();
            services.AddSignalR();

            services.AddSwaggerGen(c =>
            {
                c.SwaggerDoc("v1", new OpenApiInfo { Title = "My API", Version = "v1" });
            });
        }

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseSerilogRequestLogging();

            app.UseHttpsRedirection();

            app.UseRouting();

            app.UseAuthorization();

            app.UseCors(_corsPolicyName);

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
                endpoints.MapHub<MyHub>("/myhub");
            });

            // Enable middleware to serve generated Swagger as a JSON endpoint.
            app.UseSwagger();

            // Enable middleware to serve swagger-ui (HTML, JS, CSS, etc.),
            // specifying the Swagger JSON endpoint.
            app.UseSwaggerUI(c =>
            {
                c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");
                c.RoutePrefix = string.Empty;
            });
        }

You need .AllowCredentials() as part of your CORS setup.

After adding .AllowCredentials() I get a different error.

Access to XMLHttpRequest at 'http://10.10.10.10/mysvc/myhub/negotiate' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

I moved app.UseCors(_corsPolicyName); above app.UseRouting(); as shown below and I'm now getting connected. Is there any plans to make the order irrelevant?

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseCors(_corsPolicyName);

            app.UseSerilogRequestLogging();

            app.UseHttpsRedirection();

            app.UseRouting();

            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
                endpoints.MapHub<MyHub>("/myhub");
            });

            // Enable middleware to serve generated Swagger as a JSON endpoint.
            app.UseSwagger();

            // Enable middleware to serve swagger-ui (HTML, JS, CSS, etc.),
            // specifying the Swagger JSON endpoint.
            app.UseSwaggerUI(c =>
            {
                c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");
                c.RoutePrefix = string.Empty;
            });
        }

Is there any plans to make the order irrelevant?

Middleware are supposed to follow the order they are written in. We will not be changing that.

I can confirm,
that I've faced same issue on .NET core 2.2 and SignalR where source of trouble was incorrect order of Middlewares. I think in this thread we are mixing this issue and issue call ".AllowCredentials() always".

This Middleware order worked for me:
//UseSignalR must be before UseMvc!!! app.UseSignalR(routes => { routes.MapHub<ChatHub>("/chatHub"); }); app.UseMvcWithDefaultRoute();

I would consider this issue closed.

@dalibor-sanzeru is right that various issues have been conflated here.

CORS functionality is now more inline with spec and the docs need to acknowledge this where appropriate. That and use of credentials is necessary and is currently a requirement for SignalR. There has also been some rumblings on whether to make it configurable and whether or not it would be possible.

Please file a new issue for any further discussions or questions about CORS and SignalR. Thanks!