73

I solved this problem after not finding the solution on Stackoverflow, so I am sharing my problem here and the solution in an answer.

After enabling a cross domain policy in my .NET Core Web Api application with AddCors, it still does not work from browsers. This is because browsers, including Chrome and Firefox, will first send an OPTIONS request and my application just responds with 204 No Content.

Improve this question
4
  • What is a specific scenario where this fails? If it's "it fails all the time for any chrome/ff browser doing CORS" then how is this not covered already by the framework? Seems like that would be a pretty huge omission. Commented Feb 14, 2017 at 13:41
  • I agree. However, that is how it is. The framework will allow you to do CORS with built-in features, but it does not handle OPTIONS calls and this is a requirement for normal use of cross-domain api calls from browsers. However, you can avoid it by making a simpler call, like setting type to text/plain and a few other things. Then the browser won't do the OPTIONS call first. Commented Feb 15, 2017 at 11:56
  • IIS should be the one who handles the things, so anyone reading this after Nov 2017 should use IIS CORS module, blogs.iis.net/iisteam/introducing-iis-cors-1-0 Commented Apr 8, 2019 at 0:42
  • Yes or on Azure App Service, it seems for the last few years, it has been sufficient to set up CORS in Azure and allow certain domains or all domains (*). The above will work on Azure when NO domain is configured in CORS, which apparently means that Azure lets the application handle CORS itself. Commented Jan 5, 2021 at 13:04

14 Answers 14

Reset to default
59

Add a middleware class to your project to handle the OPTIONS verb.

using System.Threading.Tasks;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Hosting;

namespace Web.Middlewares
{
    public class OptionsMiddleware
    {
        private readonly RequestDelegate _next;

        public OptionsMiddleware(RequestDelegate next)
        {
            _next = next;
        }

        public Task Invoke(HttpContext context)
        {
            return BeginInvoke(context);
        }

        private Task BeginInvoke(HttpContext context)
        {
            if (context.Request.Method == "OPTIONS")
            {
                context.Response.Headers.Add("Access-Control-Allow-Origin", new[] { (string)context.Request.Headers["Origin"] });
                context.Response.Headers.Add("Access-Control-Allow-Headers", new[] { "Origin, X-Requested-With, Content-Type, Accept" });
                context.Response.Headers.Add("Access-Control-Allow-Methods", new[] { "GET, POST, PUT, DELETE, OPTIONS" });
                context.Response.Headers.Add("Access-Control-Allow-Credentials", new[] { "true" });
                context.Response.StatusCode = 200;
                return context.Response.WriteAsync("OK");
            }

            return _next.Invoke(context);
        }
    }

    public static class OptionsMiddlewareExtensions
    {
        public static IApplicationBuilder UseOptions(this IApplicationBuilder builder)
        {
            return builder.UseMiddleware<OptionsMiddleware>();
        }
    }
}

Then add app.UseOptions(); this as the first line in Startup.cs in the Configure method.

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.UseOptions();
}
Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

I did this exact thing and can get the request to hit the Middleware, but it returns a "The requested URL can't be reached The service might be temporarily down or it may have moved permanently to a new web address. [chrome socket error]: A connection was reset (corresponding to a TCP RST)" error. What am I doing incorrectly?
I don't know. To troubleshoot I would open Fiddler and check the details of the request and response.
+1, but one thing need to be adjusted, do not call _next.Invoke if method is options, the request should end after calling context.Response.WriteAsync("OK");, so change Invoke implementation to be: if (context.Request.Method != "OPTIONS") { await this._next.Invoke(context); }
You may use CorsPolicyBuilder.AllowAnyOrigin(). Your answer doesn't have any disclaimer, somebody may find it and apply without understanding.
@AmenAyach doesn't matter because inside the if statement it returns context.Response.WriteAsync("OK"); so the _next.invoke(context) is never reached if the method is OPTIONS
|
41

I know it has been answered. Just answering with the updated information. So it would help others.

It is now built into the ASP.NET Core framework.

Just follow https://learn.microsoft.com/en-us/aspnet/core/security/cors

and replace

    app.UseCors(builder =>
   builder.WithOrigins("http://example.com"));

with

        app.UseCors(builder =>
       builder.WithOrigins("http://example.com")
              .AllowAnyHeader()
              .AllowAnyMethod()
              .AllowCredentials());
Improve this answer

6 Comments

Does it work? The issue was that Chrome sends an "OPTIONS" call first and does not get a go-ahead so the real call never comes from the Chrome browser. Is that what the "AllowAnyMethod" solves? Edit: I see now this is exactly what they addressed in the article you linked to!
fyi: If you don't want to allow any header or method, you can use the methods WithHeaders/WithMethods
by doing this I get 204 No Content in response status code
Is a 204 No Content a problem? Seems like the only info you should expect from an OPTIONS request is in the headers. No? Mozilla seems to agree.
This needs to go into Configure() in Startup.cs
|
26

This worked for me:

Make sure that this:

app.UseCors(builder => {
    builder.AllowAnyOrigin();
    builder.AllowAnyMethod();
    builder.AllowAnyHeader();
});

Occurs before any of these:

app.UseHttpsRedirection();
app.UseDefaultFiles();
app.UseStaticFiles();
app.UseCookiePolicy();

Remember, we are dealing with a "pipeline". The cors stuff has to be first.

Improve this answer

3 Comments

The question is whether these settings are applied upon an OPTIONS call
Thank you, this worked to me. I would like to highlight that the cors stuff must be first before any other HTTP request pipeline configuration method, as @NielsBrinch said.
I wonder why there are no warnings from the IDE or server about mistakes like these. These are simple pitfalls unsuspecting developers could find themselves in and spend extra hours on hours trying to debug. I guess stackoverflow has helped curb ALOT of developer depression.
9

There is no need in an additional middleware. As already mentioned above the only thing needed is the OPTIONS method allowed in Cors configuration. You may AllowAnyMethod as suggested here: https://stackoverflow.com/a/55764660/11921910

But it's safer to just allow the specific stuff like this:

app.UseCors(builder => builder
.WithOrigins("https://localhost", "https://production.company.com") /* list of environments that will access this api */
.WithMethods("GET", "OPTIONS") /* assuming your endpoint only supports GET */
.WithHeaders("Origin", "Authorization") /* headers apart of safe-list ones that you use */
);

Some headers are always allowed: https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_request_header

Improve this answer

1 Comment

Why do you included OPTIONS method?
7

AspNetCoreModuleV2 OPTIONS problem

.Net core module does not know how to handle OPTIONS which causes a preflight CORS problem, so the solution is to exclude the OPTIONS verb from being handled by it. It's done by replacing the * with the verbs you want except the OPTIONS. Don't worry, the OPTIONS verb will be handled by the default loaded OPTIONSHandler:

IIS

Solution: Modify web.config

 <add name="aspNetCore" path="*" verb="* modules="AspNetCoreModuleV2" resourceType="Unspecified" />

Make it like this:

<add name="aspNetCore" path="*" verb="GET,POST,PUT,DELETE" modules="AspNetCoreModuleV2" resourceType="Unspecified" />

IIS Express: For Visual Studio Debugger

I tried modifying .vs\ProjectName\config\applicationhost.config at the bottom of the file but of no hope. Thus, in this specific case, you can use the chosen answer.

Improve this answer

2 Comments

This really fixed my issue. Thanks a lot. This was the correct solution for me as I was using dotnet core 7 API hosted on IIS 8.5.
I have troubles with IIS Express: For Visual Studio Debugger. The GET works but preflight for POST does not :/ I tried following app.UseOptions(); app.UseCors(policy => policy.WithOrigins("https://localhost:44414") .AllowAnyHeader() .AllowAnyMethod() .AllowCredentials()); and I am still getting Response to preflight request doesn't pass access control check. Any idea?
2

If you are using IIS and Windows Authentication and Cors, then make sure you enable both Windows (GET/PUT/POST/DELETE/ETC) and Anonymous Authentication (used for OPTIONS/Preflight) within IIS. Ran across this because it worked fine with NPM RUN SERVE, but didn't work in IIS because I had anonymous disabled. I assumed Windows Authentication was sufficient, and it was until I tried to PUT/POST something did I realize there was a problem. Preflight is required for PUT/POST and apparently doesn't work with Windows Authentication. Target framework is .NET 6.0.

builder.Services.AddControllers();
builder.Services.AddCors(options =>
{
    options.AddDefaultPolicy(
        builder =>
        {
            builder
            .WithOrigins(
                "https://myserver",
                "http://localhost:8080")
            .AllowCredentials()
            .WithHeaders(HeaderNames.ContentType, "x-custom-header")
            .AllowAnyMethod() 
            .WithExposedHeaders(HeaderNames.ContentType, "x-custom-header")
            ;
        });
});

// Compressed responses over secure connections can be controlled with the EnableForHttps option, which is disabled by default because of the security risk.
builder.Services.AddResponseCompression(options =>
{
    options.EnableForHttps = true;
});

// SQL
string connectionString = builder.Configuration.GetConnectionString("WebApiDatabase");
builder.Services.AddDbContext<otscorecard_2022_webapi.Models.WebApiDbContext>(options =>
    options.UseSqlServer(connectionString)
);

// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();

builder.Services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
   .AddNegotiate();

builder.Services.AddAuthorization(options =>
{
    // By default, all incoming requests will be authorized according to the default policy.
    options.FallbackPolicy = options.DefaultPolicy;
});

var app = builder.Build();

// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}

app.UseHttpsRedirection();
app.UseCors();  // IIS: enable both Windows (GET/PUT/POST/DELETE/ETC) and Anonymous Authentication (used for OPTIONS/PreFlight)
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.UseResponseCompression();
app.Run();
Improve this answer

Comments

1

I wanted to allow this for a single method, not using a middleware to allow this on any method. This is what I ended doing:

Manual handling of the 'OPTIONS' method

[HttpOptions("/find")]
public IActionResult FindOptions()
{
    Response.Headers.Add("Access-Control-Allow-Origin", new[] { (string)Request.Headers["Origin"] });
    Response.Headers.Add("Access-Control-Allow-Headers", new[] { "Origin, X-Requested-With, Content-Type, Accept" });
    Response.Headers.Add("Access-Control-Allow-Methods", new[] { "POST, OPTIONS" }); // new[] { "GET, POST, PUT, DELETE, OPTIONS" }
    Response.Headers.Add("Access-Control-Allow-Credentials", new[] { "true" });
    return NoContent();
}


[HttpPost("/find")]
public async Task<IActionResult> FindOptions([FromForm]Find_POSTModel model)
{
    AllowCrossOrigin();
    
    // your code...
}

private void AllowCrossOrigin()
{
    Uri origin = null;
    Uri.TryCreate(Request.Headers["Origin"].FirstOrDefault(), UriKind.Absolute, out origin);

    if (origin != null && IsOriginAllowed(origin))
        Response.Headers.Add("Access-Control-Allow-Origin", $"{origin.Scheme}://{origin.Host}");
}

And of course, you can implement IsOriginAllowed as you wish

private bool IsOriginAllowed(Uri origin)
{
    const string myDomain = "mydomain.com";
    const string[] allowedDomains = new []{ "example.com", "sub.example.com" };

    return 
           allowedDomains.Contains(origin.Host) 
           || origin.Host.EndsWith($".{myDomain}");
}

You can find more details on how to enable CORS for POST requests on a single endpoint

Improve this answer

Comments

1

Actually, none of the answers worked for me but I finally figured out what is the problem and I can't believe it I just moved app.UserCors("PolicyName"); before app.UseAuthorization(); and it started working!

I thought this might be helpful to someone.

services.AddCors(options =>
{
  options.AddPolicy("EnableCORS", bl =>
  {
    bl.WithOrigins(origins)
      .AllowAnyMethod()
      .AllowAnyHeader()
      .AllowCredentials()
      .Build();
  });
});


..........................
app.UseAuthentication();
app.UseCors("EnableCORS");
.....
app.UseAuthorization();
Improve this answer

Comments

1

You might be blocking the OPTIONS http verb in IIS. Check the "HTTP Verbs" Tab in Request Filtering settings in your IIS. Remove the highlighted option as shown in the image from the link below.

IIS Request Filtering

Improve this answer

Comments

0

I want to put a specific answer for my specific situation where i was testing both the api and the client web app locally. I know this is a late entry but CORS has changed so much in dot net core, i thought, newcomers like me might benefit with a full post.

For me, it was two issues that occurred back to back.

  1. CORS rejection error
  2. and also OPTIONS issue on firefox (I assume chrome would do the same)
  3. also my API is running HTTPS
  4. web app is without HTTPS
  5. both of them running locally, mentioning this again, for clarity.

First, this goes to public void ConfigureServices(IServiceCollection services)

        //lets add some CORS stuff 
        services.AddCors(options =>
        {
            options.AddDefaultPolicy(builder => {
                builder.WithOrigins("http://localhost:3000",
                                    "http://www.contoso.com");
                builder.AllowAnyMethod();
                builder.AllowAnyHeader();
                builder.AllowCredentials();
            });
        });

and then, this, goes to, public void Configure(IApplicationBuilder app, IWebHostEnvironment env)

  app.UseCors();
Improve this answer

Comments

0

welcome .

[HttpOptions("/find")] public IActionResult FindOptions()

{
    Response.Headers.Add("Access-Control-Allow-Origin", new[] { (string)Request.Headers["Origin"] });
    Response.Headers.Add("Access-Control-Allow-Headers", new[] { "Origin, X-Requested-With, Content-Type, Accept" });
    Response.Headers.Add("Access-Control-Allow-Methods", new[] { "POST, OPTIONS" }); // new[] { "GET, POST, PUT, DELETE, OPTIONS" }
    Response.Headers.Add("Access-Control-Allow-Credentials", new[] { "true" });
    return NoContent();
}`enter code here`
Improve this answer

1 Comment

This question already contains multiple answers and an accepted answer. Can you explain where your answer differs from the other answers? Also know that Code-only answers are not useful in the long run.
0

Please ensure that you also change the COrs settings in appsettings.json if you have this kind of configuration.

  "App": {
    "ServerRootAddress": "http://localhost:44301/",
    "ClientRootAddress": "http://localhost:4200/",
    "CorsOrigins": "*",
    //"CorsOrigins": "http://*.mycompany.com,http://localhost:4200,http://localhost:9876",
    "SwaggerEndPoint": "/swagger/v1/swagger.json",
    "AllowAnonymousSignalRConnection": "true",
    "HomePageUrl": "/index.html"
  },

Because I failed checking this, I wasted 1 day trying to find why CORS is not working.

Improve this answer

Comments

0 
builder.Services.AddCors(options =>
{
    options.AddPolicy(name: _policyName,
    policy =>
    {
        policy.WithOrigins("https://Google.com") //for specific
            //.AllowAnyOrigin(); //Allow all origin
            .WithMethods("PUT", "DELETE", "GET"); //for specific
            //.AllowAnyMethod(); //Allow all methods
            .WithHeaders(HeaderNames.ContentType, "ApiKey"); //for specific header
            //.AllowAnyHeader(); //Allow all headers

    });
});

References: https://geeksarray.com/blog/how-to-setup-cors-policies-in-aspnet-core-web-api and https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-7.0

Improve this answer

Comments

0

I had the same problem with OPTIONS requests being denied but it turned out to be related to how I was re-using the AllowedHosts string in the .WithOrigin() call...

I ended up in a situation where if I entered the scheme or port into the appsettings.json's AllowedHosts then .Net would block the request with something like this:

[DBG] The request has an origin header: 'http://localhost:3000'.
[INF] CORS policy execution failed.
[INF] Request origin http://localhost:3000 does not have permission to access the resource.

... but if I didn't include the scheme or port then I couldn't re-use the same data in the .WithOrigins() call (and I didn't want to hard-code the hosts).

The solution for me in the end was sadly to create another property in appsettings.json that I could split and feed into .WithOrigins() like so:

appsettings.json

"AllowedHosts": "localhost;anotherdomainname.co.uk",
"AllowedCorsHosts": "http://localhost:3000;https://anotherdomainname.co.uk,"

Program.cs

builder.Services.AddCors(options =>
{
    string[] origins = builder.Configuration["AllowedCorsHosts"].Split(';');

    options.AddDefaultPolicy(
        corsBuilder =>
        {
            corsBuilder.WithOrigins(origins);
            corsBuilder.AllowAnyMethod();
            corsBuilder.AllowAnyHeader();
            corsBuilder.AllowCredentials();
        });
});

This appears to satisfy both the internal .Net CORS code and allows me to specify hosts without hard-coding them.

[DBG] Allowed hosts: localhost; anotherdomainname.co.uk
....
[DBG] The request has an origin header: 'http://localhost:3000'.
[INF] CORS policy execution successful.
[DBG] The request is a preflight request.

N.B. Don't just remove the AllowedHosts entry from appsettings.json entirely or .Net will default to allowing any host!

[DBG] Wildcard detected, all requests with hosts will be allowed.

I hope this helps someone

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.