4
votes

I am working with Azure API Management and have three API's that I need to manage with it. When testing, the GET methods work fine, however the post methods I get the following error:

Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied.

I have searched around and seen a number of issues with CORS and APIM, however I havent seen my specific issue as of yet.

The current configuration of the CORS Policy is

<policies>
<inbound>
    <cors>
        <allowed-origins>
            <origin>*</origin>
        </allowed-origins>
        <allowed-methods>
            <method>GET</method>
            <method>POST</method>
        </allowed-methods>
    </cors>
</inbound>
<backend>
    <forward-request />
</backend>
<outbound />
<on-error />
</policies>

I have looked for answers in the following places :

https://docs.microsoft.com/en-us/azure/api-management/api-management-cross-domain-policies

Azure API Management CORS: Why do I get "Headers starting with 'Access-Control-' were removed..."

https://briancaos.wordpress.com/2018/04/05/azure-api-management-configure-cors-in-the-policy/

The questions I have are 1. How do I need to shape my CORS policy, 2. Do I need to add anything in to the API Startup.cs or config files to handle CORS too?

Thanks?

2

2 Answers

0
votes

As of end of 2020, besides the option to configure this through an XML policy, as stated in the docs, there is now also a visual way to configure this in the Azure Portal.

  1. Open your API in the Azure API Management section of the Azure portal
  2. Select All operations, or a single operation
  3. On the right, choose Inbound processing > Add policy

Select "Add policy"

  1. You will get a list of prefab policy templates. Choose the "CORS" one and configure it at will:

Select options for CORS

That should cover the "how to shape your policy" part of your question. It is even possible to apply a policy, like CORS, globally to all API's.

-1
votes

This message by itself does not indicate any problem, it merely states that request that was received is not CORS request thus CORS policy is ignored. Read through CORS spec, proper CORS request MUST have at least Origin and optional Access-Control-Request-Method header for non trivial requests. You can use tool like VSCode REST client, Postman, or Fiddler to simulate such requests and see CORS policy in action. Or if you already have browser client - use that and browser will take care of sending proper headers.