How to Disable Azure Web App from overwriting CORS

Question

I have a .NET Core 2.1 app and I've added a CORS policy in ConfigureServices:

services.AddCors(options => options.AddPolicy("CorsPolicy",
            builder =>
            {
                builder.AllowAnyMethod().AllowAnyHeader()
                       .WithOrigins("http://localhost:4200")
                       .AllowCredentials();
            }));

and then in Configure:

app.UseCors("CorsPolicy");

Locally, this works great. When I deploy to my Azure Web App, it doesn't work. My client gets:

"Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'"

I can recreate that exact error by removing the .AllowCredentials() line locally.

I understand from the docs that Azure CORS takes over any code CORS:

"Don't try to use App Service CORS and your own CORS code together. When used together, App Service CORS takes precedence and your own CORS code has no effect."

I can't seem to stop Azure Web Apps from taking over. I've tried removing CORS using the CLI but I can't fully get rid of it.

az resource update --name web --resource-group MyGroup --namespace Microsoft.Web --resource-type config --parent sites/MySite --set properties.cors.allowedOrigins="" --api-version 2015-06-01

All that does is set the allowedOrigins to null. But it's still taking over. How can I remove all traces of CORS from Azure so only my code is used? Or, worst case scenario, how can I do the equivalent of "AllowCredentials" in Azure?

Answer 1

I had the same problem and had to remove all 'allowed origins' under the cors tab in the Azure Portal for the app service and restarting.

If that doesn't work there are some suggestions about removing the options header in the web config here Enable Access-Control-Allow-Credentials header in Azure website (Azure App Services)