CODEWITHSUNDEEP
c#asp.net-corecorsasp.net-core-3.0asp.net-core-3.1
yogihosting
yogihosting

Reputation: 6292

How to enable Cors for every type of request in asp.net core 3.1

How to enable Cors for every type of request in asp.net core 3.1?

I am following the MS Docs but they seem to not work.

Note: I am able to achieve cors for specific domains but not to every domain. For example the below configuration I have applied to my project:

  1. In the ConfigureServices(); method I added:

    services.AddCors();

  2. In the Configure() method I added:

    app.UseCors(builder => { builder .WithOrigins() .AllowAnyMethod() .AllowAnyHeader() .AllowCredentials(); });

But when I try to access the API with jQuery from another url then I get:

Access to XMLHttpRequest at 'https://localhost:44314/Reservation' from origin 'https://localhost:44361' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Now If i put the URL in the WithOrigins() method I am able to access the API:

app.UseCors(builder =>
{
    builder
    .WithOrigins("https://localhost:44361")
    .AllowAnyMethod()
    .AllowAnyHeader()
    .AllowCredentials();
});

My question is how to give access to the API to every URL(i.e domain, subdomain,etc) without restriction. Applying * does not work.

Please help.

Upvotes: 6

Views: 18233

Answers (3)

Venugopal M
Venugopal M

Reputation: 2412

I have done this way and it works.

public class Startup
{
    private const string CORS_POLICY = "CORSPolicy";
    ...

    public void ConfigureServices(IServiceCollection services)
    {
        ...
        services.AddCors(options =>
        {
            options.AddPolicy(name: CORS_POLICY,
                              builder =>
                              {
                                  builder
                                  .AllowAnyHeader()
                                  .AllowAnyMethod()                                      
                                  .SetIsOriginAllowed(options => true)
                                  .AllowCredentials();
                              });
        });
        
        services.AddMvc()
        .SetCompatibilityVersion(CompatibilityVersion.Latest);
        ...
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerFactory loggerFactory)
    {
     ...
        app.UseCors(CORS_POLICY);
        app.UseMvc();
     ...
    }

Upvotes: 1

Kevin
Kevin

Reputation: 2404

you need to allow any origin which you do with the following:

builder.AllowAnyOrigin()

Any Origin with AllowCredentials

not allowing credentials to be sent from any origin is by design.

You can get around this by using the following

builder.SetIsOriginAllowed(_ => true)

I dont think it is a great solution because it removes the benefit of useCredentials().

Note

useCredentials is not required for sending a JWT in the header. It is for if you need to send cookies in the request. Allowing any origin and enabling useCredentials can lead to security vunerabilities which is why it is not allowed by default.

For more information you should read

What exactly does the Access-Control-Allow-Credentials header do?

and

CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true

Upvotes: 5

Tony
Tony

Reputation: 20082

This should be good for you. Just ignore the MVC part I just add in for you to make sure your pipeline order is correct

public void ConfigureServices(IServiceCollection services)
{
      services.AddCors();
      services.AddMvc();
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.UseCors(
        options => options.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader()
    );

    app.UseMvc();
}

Upvotes: 3

Related Questions