Reputation: 8531
CORS for Azure APIM only working when set on operations and not on product level
We have an issue with CORS policies and not sure of is a bug or?
We tried setting CORS policy on a product used in an API, without any effect. Then we applied the same CORS policy on API level for "all operations". This time it worked as expected.
As we understand CORS policy on product level should also be doable, we might be wrong or is there some detail we should be aware of to have this working on a product level?
Upvotes: 2
Views: 373
Answers (1)
Reputation: 7795
If your product requires subscription for CORS policy to work key MUST be passed in query string. The problem here is if you try to pass subscription key in header browser will still send OPTIONS request without any extra headers. APIM will not be able to identify product and apply subscription key. Thus CORS policy will not work.
If key is passed in query string on the other hand, this information is presend in OPTIONS request and APIM works as desired.
This is not APIM problem per se, as CORS spec itself does not allow for any extra headers in OPTIONS request. And it only applies to requests that require preflight OPTIONS request. CORS GET requests should work as those are sent directly.
Upvotes: 2
Related Questions
- How configure Azure API Management for CORS
- CORS Preflight request not working with Azure API Management
- Azure API Management CORS Issue
- Azure APIM getting CORS error on API Post method
- How to disable cors on azure APIM?
- Azure API Management Services updating CORS to allow OPTIONS
- Failed to call APIs from web page behind Azure APIM due to CORS issues
- Azure API Management CORS: Why do I get "Headers starting with 'Access-Control-' were removed..."
- Azure API Management > CORS and POST
- Azure API Management doesn't send CORS header on 4xx