CORS rejecting white-listed address specified in Cors Policy (.WithOrigins)

0
votes

The origin is white-listed (http://localhost:4200/) in Startup.cs, yet the request is rejected due to Cors.

This is true for an a GET request on my API and when I try to establish a connection via SignalR. I'm able to get around Cors blocking the API request via AllowAllOrigins, but thats not a viable solution with SignalR, which requires .AllowCredentials.

The rejection shows I've white-listed the correct domain. It just seems like it isn't being honored. 

public void ConfigureServices(IServiceCollection services)
        {
            services.AddCors(options =>
                options.AddPolicy(MyAllowSpecificOrigins,
                    builder =>
                        {
                            builder
                               .WithMethods("GET","POST")
                               .AllowAnyHeader()
                               .AllowCredentials()
                               .WithOrigins("http://localhost:4200/");
                        }));  

            services.AddRazorPages();
            services.AddControllers();
            services.AddSignalR();
            services.AddDbContext<WebApplication2Context>(options =>
                    options.UseSqlServer(Configuration.GetConnectionString("WebApplication2Context")));
        }

I know the policy is being applied. When I change withOrigins to allOrigins it fails on startup.

3
angularasp.net-corecorssignalrasp.net-core-webapi
I suggest using "UseSpa" middleware instead of CORS whitelisting. You can run "ng serve" independently following way: docs.microsoft.com/en-us/aspnet/core/client-side/spa/…Milan Tenk

3 Answers

1
votes

When listing origins in WithOrigins(), ensure that they don’t have a trailing /, otherwise, the origin will never match and your cross-origin requests will fail.


    builder
        .WithMethods("GET","POST")
        .AllowAnyHeader()
        .AllowCredentials()
        .WithOrigins("http://localhost:4200"); // No trailing slash
0
votes

Make sure your config have correct order like this which mean your services.AddCors and app.UseCors must come first in the middleware pipeline

public void ConfigureServices(IServiceCollection services)
{
      services.AddCors();
      services.AddMvc();
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.UseCors(
        options => options.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader()
    );

    app.UseMvc();
}
0
votes

You need to allow host origin like with SetIsOriginAllowed like:

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
        options.AddPolicy(MyAllowSpecificOrigins,
            builder =>
                {
                    builder
                       .WithMethods("GET","POST")
                       .AllowAnyHeader()
                       .AllowCredentials()
                       .WithOrigins("http://localhost:4200"),
                       .SetIsOriginAllowed((host) => true)

                }));  

    services.AddRazorPages();
    services.AddControllers();
    services.AddSignalR();
    services.AddDbContext<WebApplication2Context>(options =>
            options.UseSqlServer(Configuration.GetConnectionString("WebApplication2Context")));
}