CORS Server Settings for ASP.net?

Question

I am attempting to implement CORS in my web API layer of a project and limit the domains that the API will allow requests from. I am using the app.UseCors() method in my Startup.cs to setup CORS globally:

    new public void Configuration(IAppBuilder app)
    {
        ConfigureAuth(app);
        SystemConfiguration config = base.InitializeWebApiConfiguration();

        // add our Cors Policy
        app.UseCors(new CorsOptions
        {
            PolicyProvider = new CorsPolicyProvider
            {
                PolicyResolver = context => Task.FromResult(CorsPolicyHelper.GetCorsPolicy())
            }
        });

        var authorizeAttribute = new AuthorizeAttribute();
        config.HttpConfiguration.Filters.Add(authorizeAttribute);

        app.UseNinjectMiddleware(() => this._kernel.Value);
        app.UseNinjectWebApi(config.HttpConfiguration);

        InitializeMappingProfiles();
    }

The CorsPolicyHelper simply sets up a CorsPolicy object with the settings for Headers, Methods, Origins, etc. which are:

-AllowAnyMethod = true

-AllowAnyHeader = true

-SupportCredentials = true

-PreflightMaxAge = 604800 (7 days)

-Origins: "https://example.dev.com", "https://example-ci.test.com", "https://example-qa.test.com"

The problem I have is CORS is working on my dev and CI servers, however, it does not work on my QA server. My request has the correct origin "https://example-qa.test.com" but the resposne header does not include "Access-Control-Allow-Origin", and I am getting back:

XMLHttpRequest cannot load https://services-qa.test.com/api/data/. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://example-qa.test.com' is therefore not allowed access. The response had HTTP status code 500.

I'm not sure what the difference is between my dev, CI, and QA servers are. They should be the same. But is it possible there is a server setting I need to change on my QA server to make it work? Possibly something in IIS?

score 1 · Answer 1 · answered Jun 17 '16 at 20:32

1

Try this in your Web API's web.config (this version is cut down, but I'm sure you can put it together).

<?xml version="1.0" encoding="utf-8"?>
<configuration>
 <system.webServer>
   <httpProtocol>
     <customHeaders>
       <add name="Access-Control-Allow-Origin" value="*" />
     </customHeaders>
   </httpProtocol>
 </system.webServer>
</configuration>

answered Jun 17 '16 at 20:32

Saturn K

2,705
4
26
38

This does get rid of the error but it also allows access to all origins because of the wildcard character. I wanted to limit it to only client URLs that I specify. – big_water Jun 18 '16 at 22:35
Yes I understand. I would never put "*". I just copied and pasted from one of my pet projects. You can modify the wild card to anything (i.e. *.mydomain.com, *.yahoo.com, etc.). This is what I would do: http://stackoverflow.com/questions/14003332/access-control-allow-origin-wildcard-subdomains-ports-and-protocols – Saturn K Jun 19 '16 at 21:45

score 0 · Answer 2 · answered Jun 17 '16 at 18:43

0

So, it's working 2 out of 3. My understanding is that for a preflight request to be successful, your IIS site needs to be set to allow anonymous access. Check your IIS settings on all three boxes to verify.

answered Jun 17 '16 at 18:43

Big Daddy

5,160
5
46
76

score 0 · Accepted Answer · answered Jun 18 '16 at 22:47

It ended up being a different problem. The app.UseCors() method I described above does work to enable CORS globally. The problem was in a transform I had for my web.config for the QA environment. It was a problem with the connection to the server that gives me my identity token. Thanks for the suggestions though!

CORS Server Settings for ASP.net?

3 Answers3