Asp.NET MVC Core CORS

6
votes

We are working on application that has mobile part and web UI. The web UI uses angular and we have problems configuring the cors on the backend. Our code looks like this (just the code important to our problem):

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.UseCors("AllowAll");

    app.UseMvc();
}

public void ConfigureServices(IServiceCollection services)
{            
    services.AddMvc();

    //Add Cors support to the service
    services.AddCors(
        options => options.AddPolicy(
            "AllowAll", p => p.AllowAnyOrigin()
                .AllowAnyHeader()
                .AllowAnyMethod()
                .AllowCredentials()
            )
        );
}

From the documentatiaon and other post on stackoverflow this should work, but not. What have we missed?

thnx

EDIT:

This is the request from POSTMAN:

curl 'https://guw.azurewebsites.net/api/token' -X OPTIONS -H 'Pragma: no-cache' -H 'Access-Control-Request-Method: POST' -H 'Origin: http://localhost:9000' -H 'Accept-Encoding: gzip, deflate, sdch, br' -H 'Accept-Language: en-US,en;q=0.8' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36' -H 'Accept: /' -H 'Cache-Control: no-cache' -H 'Referer: http://localhost:9000/' -H 'Connection: keep-alive' -H 'Access-Control-Request-Headers: accept, authorization, content-type' --compressed

You can import this in postman and have a look on it. This request is sent by angular app.

Hope this helps.

At the end I decided to add in my middleware this method:

private void AddCors(HttpContext context)
{
    context.Response.Headers.Add("Access-Control-Allow-Headers", 
        new string[] { "Authorization", "Content-Type" });
    context.Response.Headers.Add("Access-Control-Allow-Methods", 
        new string[] { "OPTIONS", "POST", "GET", "DELETE", "PUT" });

    IEnumerable<string> allowedUrls = new List<string>()
    {
        "http://localhost:8100", 
        "http://localhost:9000"
    };

    if (allowedUrls.Count() > 0)
    {
        foreach(string x in allowedUrls)
        {
            var origin = context.Request.Headers.FirstOrDefault(
                key => key.Key == "Origin");
            var found = x.ToLower() == origin.Value.ToString().ToLower();
            if (found)
            {
                context.Response.Headers.Add("Access-Control-Allow-Origin", 
                    new string[] { origin.Value });
            }
        }
    }

    return;
}

EDIT:

This was good, but in the logic it not worked as I needed, so I ended up with this in my middleware class, and this works fine:

// Add CORS to every response
context.Response.Headers.Add("Access-Control-Allow-Headers", 
    new string[] { "Authorization", "Content-Type" });
context.Response.Headers.Add("Access-Control-Allow-Methods", 
    new string[] { "OPTIONS", "POST", "GET", "DELETE", "PUT" });
context.Response.Headers.Add("Access-Control-Allow-Origin", "*");

if (context.Request.Method.Equals("OPTIONS", StringComparison.Ordinal))
{ 
    context.Response.StatusCode = 204;
    return _next(context);
}

thx

2
asp.net-corecorsasp.net-core-mvc
"this should work, but not" You need to edit to add details about how you tested it and why it "but not"user1228
I finnaly added my method in my middleware. Edited my post.Wasyster
@Wasyster Vow, why add so much code? Isn't MVC already doing this for you?Kiran Challa
Belive or not, its not doing and I included everything. Tried every combination to figure out, and never worked.Wasyster
For the benefit of searchers, I had a similar problem with CORS - posted my answer here -> stackoverflow.com/a/40286658/852806HockeyJ

2 Answers

3
votes

In my application (which has angular2 as frontend), I am doing it following way-

        app.UseCors(builder => {
            builder.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader();
        });

Refer this for more information - https://docs.asp.net/en/latest/security/cors.html

See if this helps.

1
votes

You should read the following article to get a good understanding of how Cors can be used in ASP.NET 5.

https://docs.asp.net/en/latest/security/cors.html

Basically UseCors registers a Cors middleware to handle Cors related requests. But you actually need NOT register it in your case as MVC has built-in components (filters) which take care of it in a similar fashion. The Cors middleware is useful in scenarios where you do not want to use MVC.

So for you scenario, remove the UseCors registration and if you take a look at the above link, you can see that to enable global Cors policy, you can do something like below:

services.Configure<MvcOptions>(options =>
{
    options.Filters.Add(new CorsAuthorizationFilterFactory("AllowAll"));
});