Disable CORS middleware of Azure app service

11
votes

I wrote some code to handle CORS into my Web Api(.Net Core). These code perfectly works on my local and test server(Azure app service) but it is not working on production(Azure app service). It gives error-

XMLHttpRequest cannot load http://myapiproduction.co/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://myuidashboard.co' is therefore not allowed access.

I gave correct allowed origin url in appsettings.Production.json. I removed all value (*) from CORS section of Azure app service(Production env).

enter image description here

When we removed every thing from CORS section of app service then our code logic should work because at a time only one middleware will work either app service's CORS middleware or our Web Api code logic.

Web Api (Startup.cs)-

var allowedOriginsArr = Configuration["AppSettings:AllowedOrigins"].Split(','); //Example- "http://myuidashboard.co"
services.AddCors(options =>
{
  options.AddPolicy("AllowAllCorsPolicy",
    builder => builder.WithOrigins(allowedOriginsArr)
               .WithMethods("GET", "POST", "PATCH", "PUT", "DELETE", "OPTIONS")
               .AllowAnyHeader()
               .WithExposedHeaders("X-Auth-Token")
               .AllowCredentials());
});

So, my question is - Is there any other setting i have to do to disable CORS middleware of Azure app service? I want to control CORS completely by code (Api logic).

3
azurecorsasp.net-core-webapiazure-app-service-envrmnt
Make sure your environment variable is set to access appsettings.production.json.Kalyan
If it worked in test Azure, but not in prod Azure? Sounds like those resources are configured differently. Ignore the GUI, look at the data. Compare the ARM templates for both resources. Study the differences. Do either of them have anything in the CORS section? If prod has a CORS section, remove it and redeploy.Troy Witthoeft
Can you run a profiler trace and show us the results of the exceptions tab? Go to Diagnose and Solve>Diagnostic Tools > .NET Profiler Trace and show us the results. Some times the CORS is caused due to invalid Date/Time values(I know this does not makes sense, but Ive seen it)Luis Rivera

3 Answers

0
votes

I don't think there is any extra setting to disable it explicitly from Azure App Service side. Microsoft itself recommend to use your CORS utilities instead of inbuilt one - Refer Here.

Note Provided by Doc -

Don't try to use App Service CORS and your own CORS code together. When used together, App Service CORS takes precedence and your own CORS code has no effect.
0
votes

Try to check the deployed appsettings.json in the associated appservice using Kudu or command line. Might be the appsettings isn't being applied.

Associated App Service > Under the Development Tools > Advanced Tools (Kudu)

Associated App Service > Under the Development Tools > Console

-1
votes

My azure site is programmed in vb.net, but ultimately I had to do this and then it worked:

Dim strMethod As String 

strMethod = Request.HttpMethod.ToUpper

If InStr(strMethod, "OPTIONS") Then

   Response.Flush()

End If