Azure API Management doesn't send CORS header on 4xx

Question

In my Azure API Management I have defined CORS policy for an entire API. Everything works great with the OPTIONS command and the allowed-origin is returned with every succesful request and also 500 responses.

For some strange reason, when the API returns a 401 or 403, the allowed-origin header is not sent back with the response. What I understand from the front end team here, is that this causes trouble because the browser and/or angular can't process the XHR response because it doesn't know if it is allowed to...

Does anyone knows why API management behaves like this and how I can prevent this?

Many thanks!

Peter

Answer 1

My reading of the spec is that if a preflight request returns anything other than a 2XX response then preflight request fails with "network error". There is no indication that other CORS related headers should be included in the response.

Consider the case where someone does a preflight request to resource that does not exist and the response is a 404. It would seem unreasonable to expect the server to return CORS headers for a non-existent resource.

It might be worth checking with the Angular team to find out why they are checking origin headers with non-2XX responses. Or if you can find me the place in the spec that says what headers should be returned, I'll be happy to communicate that information back to the team.