6

We are working on application that has mobile part and web UI. The web UI uses angular and we have problems configuring the cors on the backend. Our code looks like this (just the code important to our problem):

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.UseCors("AllowAll");

    app.UseMvc();
}

public void ConfigureServices(IServiceCollection services)
{            
    services.AddMvc();

    //Add Cors support to the service
    services.AddCors(
        options => options.AddPolicy(
            "AllowAll", p => p.AllowAnyOrigin()
                .AllowAnyHeader()
                .AllowAnyMethod()
                .AllowCredentials()
            )
        );
}

From the documentatiaon and other post on stackoverflow this should work, but not. What have we missed?

thnx

EDIT:

This is the request from POSTMAN:

curl 'https://guw.azurewebsites.net/api/token' -X OPTIONS -H 'Pragma: no-cache' -H 'Access-Control-Request-Method: POST' -H 'Origin: http://localhost:9000' -H 'Accept-Encoding: gzip, deflate, sdch, br' -H 'Accept-Language: en-US,en;q=0.8' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36' -H 'Accept: /' -H 'Cache-Control: no-cache' -H 'Referer: http://localhost:9000/' -H 'Connection: keep-alive' -H 'Access-Control-Request-Headers: accept, authorization, content-type' --compressed

You can import this in postman and have a look on it. This request is sent by angular app.

Hope this helps.

At the end I decided to add in my middleware this method:

private void AddCors(HttpContext context)
{
    context.Response.Headers.Add("Access-Control-Allow-Headers", 
        new string[] { "Authorization", "Content-Type" });
    context.Response.Headers.Add("Access-Control-Allow-Methods", 
        new string[] { "OPTIONS", "POST", "GET", "DELETE", "PUT" });

    IEnumerable<string> allowedUrls = new List<string>()
    {
        "http://localhost:8100", 
        "http://localhost:9000"
    };

    if (allowedUrls.Count() > 0)
    {
        foreach(string x in allowedUrls)
        {
            var origin = context.Request.Headers.FirstOrDefault(
                key => key.Key == "Origin");
            var found = x.ToLower() == origin.Value.ToString().ToLower();
            if (found)
            {
                context.Response.Headers.Add("Access-Control-Allow-Origin", 
                    new string[] { origin.Value });
            }
        }
    }

    return;
}

EDIT:

This was good, but in the logic it not worked as I needed, so I ended up with this in my middleware class, and this works fine:

// Add CORS to every response
context.Response.Headers.Add("Access-Control-Allow-Headers", 
    new string[] { "Authorization", "Content-Type" });
context.Response.Headers.Add("Access-Control-Allow-Methods", 
    new string[] { "OPTIONS", "POST", "GET", "DELETE", "PUT" });
context.Response.Headers.Add("Access-Control-Allow-Origin", "*");

if (context.Request.Method.Equals("OPTIONS", StringComparison.Ordinal))
{ 
    context.Response.StatusCode = 204;
    return _next(context);
}

thx

Improve this question
6
  • "this should work, but not" You need to edit to add details about how you tested it and why it "but not" Commented Aug 8, 2016 at 20:36
  • I finnaly added my method in my middleware. Edited my post. Commented Aug 9, 2016 at 17:59
  • @Wasyster Vow, why add so much code? Isn't MVC already doing this for you? Commented Aug 9, 2016 at 18:01
  • Belive or not, its not doing and I included everything. Tried every combination to figure out, and never worked. Commented Aug 9, 2016 at 18:31
  • For the benefit of searchers, I had a similar problem with CORS - posted my answer here -> stackoverflow.com/a/40286658/852806 Commented Oct 27, 2016 at 14:23

2 Answers 2

Reset to default
3

In my application (which has angular2 as frontend), I am doing it following way-

        app.UseCors(builder => {
            builder.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader();
        });

Refer this for more information - https://docs.asp.net/en/latest/security/cors.html

See if this helps.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This was exactly what I needed for my Angular2 app too, the link was the gravy that helped explain why those additional methods made is "just work". +1
1

You should read the following article to get a good understanding of how Cors can be used in ASP.NET 5.

https://docs.asp.net/en/latest/security/cors.html

Basically UseCors registers a Cors middleware to handle Cors related requests. But you actually need NOT register it in your case as MVC has built-in components (filters) which take care of it in a similar fashion. The Cors middleware is useful in scenarios where you do not want to use MVC.

So for you scenario, remove the UseCors registration and if you take a look at the above link, you can see that to enable global Cors policy, you can do something like below:

services.Configure<MvcOptions>(options =>
{
    options.Filters.Add(new CorsAuthorizationFilterFactory("AllowAll"));
});
Improve this answer

1 Comment

You would need to provide more information in that case. How does the request look like over the wire, the action you are trying to hit etc.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.