.NET Core 2.2 CORS Not Allowing Requests

Question

I have checked several other threads on this and still can't manage to figure this out. I'm wanting to allow any origin, header, method, etc. to access my .NET Core 2.2 API.

public void ConfigureServices(IServiceCollection services)
    {
        services.AddCors();
        services.AddMvc();  
... 

public void Configure(IApplicationBuilder app, IHostingEnvironment env, IApplicationLifetime lifetime, IDistributedCache cache)
    {
        app.UseCors(builder => builder.AllowAnyOrigin()
        .AllowAnyMethod()
        .AllowAnyHeader()
        .AllowCredentials());

I made sure the CORS methods were called first within ConfigureServices and Configure. I'm testing this locally and from the server and get this same error on both in Chrome.

Access to XMLHttpRequest at 'https://xxxxx.azurewebsites.net/api/Employees/getCurrentEmployee' from origin 'https://xxxxxxxxxx.azurewebsites.net' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Answer 1

Allow CORS request in .Net Core 2.2 in the following way:

// This method gets called by the runtime. Add/allow tags are per your needs
public void ConfigureServices(IServiceCollection services)
{
  services.AddCors(options =>
   {
      options.AddPolicy("AllowAllOrigins",
      builder => builder.AllowAnyOrigin()
      .AllowAnyMethod()
     .AllowAnyHeader()
     );
   });
}

Thanks

Answer 2

I think this actually had more to do with the fact that my app was not publishing to the app service properly and therefore not reflecting the code from above. Doh!

Answer 3

in ConfigureServices method

services.AddCors(options =>
            {
                options.AddPolicy("CorsPolicy",
                    builder => builder
                    .SetIsOriginAllowed((host) => true)
                    .AllowAnyMethod()
                    .AllowAnyHeader()
                    .AllowCredentials());
            });

in configure method

app.UseCors("CorsPolicy");

Answer 4

You could try using a Policy instead:

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(setup => setup.AddPolicy("CorsPolicy", builder =>
        {
            builder.AllowAnyOrigins()
            .AllowAnyHeader()
            .AllowAnyMethod()
            .AllowCredentials();
        }));

...

public void Configure(IApplicationBuilder app, IHostingEnvironment env, IApplicationLifetime lifetime, IDistributedCache cache)
    {
        app.UseCors("CorsPolicy");

If AllowAnyOrigins() does not work you can always be specific and write the url in .WithOrigins("<url>")

So it'd be:

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddCors(setup => setup.AddPolicy("CorsPolicy", builder =>
            {
                builder.WithOrigins("https://xxxxxxxxxx.azurewebsites.net")
                .AllowAnyHeader()
                .AllowAnyMethod()
                .AllowCredentials();
            }));
... 

    public void Configure(IApplicationBuilder app, IHostingEnvironment env, IApplicationLifetime lifetime, IDistributedCache cache)
        {
            app.UseCors("CorsPolicy");

Answer 5

you can do it "manually" and by this way it's simple to add extra logic to manage your requests. at your global.asax add a custom header with the request domain so the sender will be allowed, or for a specific domain the you wish or just a wild card "*" which allows all. be aware the chrome gives security warning with wild cards so they should be avoided

.AddCustomHeader("Access-Control-Allow-Origin",  HttpContext.Current.Request.UserHostAddress)