Enable Cors .Net Core

0
votes

In C# using WebApi2 I defined the following endpoint using WebApi2:

[EnableCors("*", "*", "Post", SupportsCredentials = true)]
[HttpPost]
[Route("myRouting")]
public HttpResponseMessage MyEndPoint()
{
    //...some code
}

and it works by calling it with:

var request = new XMLHttpRequest();
request.open('POST', url, true);
request.withCredentials = true;
request.send();

Trying to upgrade it to F# .Net Core w/o success:

let webApp =
    choose [
        route "/" >=> text "Description"
        POST >=> routef "myRouting" myEndPoint ]

let configureCors (builder : CorsPolicyBuilder) =
    builder.AllowAnyOrigin()
           .AllowAnyHeader()
           .WithMethods("POST")
           .AllowCredentials()
           |> ignore

let configureApp (app : IApplicationBuilder) =
    app.UseCors(configureCors)
       .UseGiraffe webApp

let configureServices (services : IServiceCollection) =
    services.AddCors()
            .AddGiraffe() |> ignore

Getting the error The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '' when the request's credentials mode is 'include'.*

I know about Specifying AllowAnyOrigin and AllowCredentials is an insecure configuration and can result in cross-site request forgery. The CORS service returns an invalid CORS response when an app is configured with both methods.

Why does it work with WebApi2 and is there a way to get it to work without specifying any origin?

1
.net-coref#cors
If you try .AllowAnyMethod() does it work? You might need to allow "OPTIONS" method - onemorecupofcoffee
Well, I don't get a 405 on the preflight. Actually there isn't a preflight at all. - Emaborsa

1 Answers

0
votes

I think you need to add a policy when using the services.AddCors method in the configureServices function. Here's an equivalent example using your configuration adapted from a working F# .NET Core Web API I'm using in production:

let configureServices (services : IServiceCollection) =
    services.AddCors(fun options -> 
            options.AddPolicy("AllowAll", fun builder -> 
                 builder.AllowAnyHeader()
                        .AllowAnyOrigin()
                        .WithMethods("POST")
                        .AllowCredentials() |> ignore))
            .AddGiraffe()
            |> ignore