13
votes

From what I understand, when enabled CORS accordingly, the response model should include the following header information (provided that I want to allow everything):

Access-Control-Allow-Origin: *
Access-Control-Allow-Method: *
Access-Control-Allow-Header: *

Enabling it in Startup:

public void ConfigureServices(IServiceCollection services)
{
    //...
    services.AddCors();
    services.ConfigureCors(options => 
    {
        options.AddPolicy("AllowAll", p => p.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader().AllowCredentials());
    });
    //...
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    //...
    app.UseCors("AllowAll");
    //...
}

The problem is that none of these headers are returned and I get the following error when trying to request from the API:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.

1
Does this error comes in chrome console ?user2120121
did you register the Cors middleware before MVC middleware? can you share more info on your Configure method?Kiran Challa
As Kiran said, this won't work if you have added app.UseCors after app.UseMvc in your Startup.Configure method. You need to add the Cors middleware before the MVC middleware. (By the way, in RC1 there is no ConfigureCors method anymore and the options can be passed directly into the AddCors method)Daniel J.G.
@DanielJ.G., the correct order (app.UseCors before app.UseMvc) did the trick for me. Please add this as answer so I can upvote it :) Thanks! This is annoying since it is not mentioned in the latest docs.realMarkusSchmidt
I have not app.UseMvc() Only: app.UseHttpsRedirection(); app.UseRouting(); app.UseAuthorization(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); });Kiquenet

1 Answers

19
votes

Make sure you add app.UseCors before app.UseMvc in your Startup.Configure method, because you need the CORS middleware to be applied before the MVC middleware.

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    ...

    //Add CORS middleware before MVC
    app.UseCors("AllowAll");

    app.UseMvc(...);
}

Otherwise the request will be finished before the CORS middleware is applied. This is because UseMvc calls UseRouter which ends up adding the RouterMiddleware, and this middleware only executes the next configured middleware when a route handler wasn't found for the request.