Api Management return empty response if origin header is present

Question

I am doing post request to API via Azure ApiManagement.

If Origin header is present and its not one of specified in Cors policy even postman will return empty response.

As soon as I disable Origin header I can get response.

So problem is following for web based application we must enable cors,

   <cors allow-credentials="true">
        <allowed-origins>
          ${env:CorsOrigin}
        </allowed-origins>
        <allowed-methods>
          <method>*</method>
        </allowed-methods>
        <allowed-headers>
          <header>*</header>
        </allowed-headers>
      </cors>

But our cordova app is also calling same api, and by default cordova will append Origin: file:// Then Api management is doing strange things it will cut body. So response will be empty. If i do same request directly to azure function, I will get proper response back, and since cordova does not care (To a degree in our case is ok) about CORS I would expect api management not to cut response.

Also Api management will not allow me to enter *, because of allow-credentials="true" and also I can't set it to allow file://

@VitaliyKurokhtin why Api management is doing what I am not asking :) See updated post — Vova Bilyachat

Vitaliy Kurokhtin Vitaliy Kurokhtin · Accepted Answer · 2018-08-31T18:45:59

APIM does not support origin with file scheme, only http and https. I'll see if we can fix it. But there the workaround for allow-origins=* and allow-credentials=true is to use expressions:

<allowed-origins>
    <origin>@(context.Request.Headers.GetValueOrDefault("Origin", "*"))</origin>
</allowed-origins>

This way response will contain sent Origin header value in Access-Control-Allow-Origin and not just * which is not allowed.

Api Management return empty response if origin header is present

1 Answers