Reputation: 181
Preflight Access-Control-Allow-Credentials
I'm having CORS trouble with my ASP.NET Core web app that is deployed as an Azure App Service. The front end is deployed as a different app service. When I try to access the Api from the front end I get this following error.
Failed to load https://chatclassifier.azurewebsites.net/chatcontroller/getchatData: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. Origin 'https://chatclassifierangularfrontend20180924084838.azurewebsites.net' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
I am using some cookies to pass data between client and server.
I have set up more CORS policy in ASP.NET Core up as follows in Setup.cs
Configure Services:
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("AllowAllHeaders",
builder =>
{
builder
.WithOrigins("https://XXXXXXXXXXangularfrontend20180924084838.azurewebsites.net")
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials();
});
});
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.Configure<FormOptions>(x =>
{
x.ValueLengthLimit = int.MaxValue;
x.MultipartBodyLengthLimit = int.MaxValue;
});
}
Configure:
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
var cookiePolicyOptions = new CookiePolicyOptions
{
Secure = CookieSecurePolicy.SameAsRequest,
MinimumSameSitePolicy = SameSiteMode.None
};
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
}
app.UseCors("AllowAllHeaders");
app.UseCookiePolicy(cookiePolicyOptions);
app.UseHttpsRedirection();
app.UseMiddleware(typeof(ApiExceptionHandling));
app.UseMvc();
}
I have not added any other CORS related code anywhere else in my API code. I have tried adding the CORS "AllowAllHeaders" attribute to my controller but this also did not work.
In addition I have added the following line of code to my web app config in Azure under CORS.
Obviously I have changed the URL name to include XXXXXX and have ensured they are the same in both my Azure Portal and Web App Code.
Any help would be greatly appreciated!
Upvotes: 2
Views: 1879
Answers (1)
Reputation: 58723
You should not combine the Azure App Service CORS config with config in code. If you enable CORS on the app service, your CORS configuration is basically ignored in code.
This is due to App Service intercepting the OPTIONS requests.
Upvotes: 4
Related Questions
- 401 Unauthorized response to CORS preflight OPTIONS request
- preflight request in enabled CORS ASP.NET Web API 2 application with windows authentication
- .NET CORE 2.0 Angular 5: Allowing Cors
- angular .net core api cors preflight request error
- Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response with .net core and angular
- ASP.NET Core: Windows Authentication with OPTIONS exception (CORS preflight)
- Angular 6 - Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header
- .NET Core allow CORS in authentication middleware
- Response to preflight request doesn't pass access control (Angular 2 - Web Api)
- Preflight CORS requests with Basic Authentication in Angular 2