12

I'm getting the following error in Chrome:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:9000' is therefore not allowed access.

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    loggerFactory.AddConsole(Configuration.GetSection("Logging"));
    loggerFactory.AddDebug();

    app.UseIISPlatformHandler();

    app.UseDefaultFiles();
    app.UseStaticFiles();

    app.UseCors(policy => policy
       .WithOrigins("http://localhost:9000")
       .AllowAnyMethod()
       .WithHeaders("Access-Control-Allow-Origin, Content-Type, x-xsrf-token, Authorization")
       .AllowCredentials());

    app.UseMvc();
}

According to chrome there is not a single header being added to the response.

What is the correct way to add the access-control-allow-origin header to a options response in Asp.NET 5?

Mikhail
  • 9,186
  • 4
  • 33
  • 49
Jamesla
  • 1,378
  • 7
  • 31
  • 62
  • This is the bleeding edge, so I haven't had much time to play with it, but what you're doing doesn't seem to gibe with the official documentation: http://docs.asp.net/en/latest/security/cors.html Not saying it's incorrect, but where did you find your guidance? I wouldn't have thought you are required to explicitly set a `Access-Control-Allow-Origin` header given that you are obviously setting a CORS policy. – Mister Epic Dec 03 '15 at 21:36
  • I really don't remember the app.UseCors block I put in a long time ago when I had to get my standard GET requests for the page working. (They don't work without it). However now that I have got to more complex requests, the browser is sending a preflight request which this bit of code doesn't work for. – Jamesla Dec 03 '15 at 23:54
  • Also I will point out that the documentation there is actually outdated (although the latest). – Jamesla Dec 06 '15 at 05:22
  • Why don't you use `.AllowAnyHeader();`? – Sirwan Afifi Dec 06 '15 at 06:57

4 Answers4

5

Consider that Google Chrome has an issue which does not support localhost to go through the Access-Control-Allow-Origin.

In your code, you have enabled CORS with the AddCors and UseCors methods in Configure method, please make sure you've followed the instructions available in Specifying a CORS Policy (which is used in ConfigureServices method) and How to enable CORS in ASP.NET 5

You can also simply write an Action Filter for plain Asp.net MVC controller.

Types of CORS'

  1. Microsoft.AspNet.WebApi.Cors : use it to enable the CORS request ONLY for the Web APIs.
  2. Microsoft.AspNet.Cors : Use it to enable CORS for MVC controllers.
  3. Microsoft.Owin.Cors : Use it to enable CORS for all cross-origins requests coming to your site, for example, when you you want to enable CORS for both Web API and SignalR.
Community
  • 1
  • 1
Amirhossein Mehrvarzi
  • 18,024
  • 7
  • 45
  • 70
2

It doesn't really make sense but as @Sirwan suggested, using .AllowAnyHeader() set the access on the options response...

Amirhossein Mehrvarzi
  • 18,024
  • 7
  • 45
  • 70
Jamesla
  • 1,378
  • 7
  • 31
  • 62
0

to overcome preflight issue add same name method as [httpoption] in your API and return success from there, now just run your web/client application you will hit the same method twice very first time httpoption method will hit and then your original

Amirhossein Mehrvarzi
  • 18,024
  • 7
  • 45
  • 70
Megha shah
  • 232
  • 3
  • 13
0

Place this in the configure section in the startup.cs file:

app.UseCors (x => x.AllowAnyOrigin ().AllowAnyMethod ().AllowAnyHeader ());
double-beep
  • 5,031
  • 17
  • 33
  • 41
user12771301
  • 29
  • 4