6

We are working on application that has mobile part and web UI. The web UI uses angular and we have problems configuring the cors on the backend. Our code looks like this (just the code important to our problem):

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.UseCors("AllowAll");

    app.UseMvc();
}

public void ConfigureServices(IServiceCollection services)
{            
    services.AddMvc();

    //Add Cors support to the service
    services.AddCors(
        options => options.AddPolicy(
            "AllowAll", p => p.AllowAnyOrigin()
                .AllowAnyHeader()
                .AllowAnyMethod()
                .AllowCredentials()
            )
        );
}

From the documentatiaon and other post on stackoverflow this should work, but not. What have we missed?

thnx

EDIT:

This is the request from POSTMAN:

curl 'https://guw.azurewebsites.net/api/token' -X OPTIONS -H 'Pragma: no-cache' -H 'Access-Control-Request-Method: POST' -H 'Origin: http://localhost:9000' -H 'Accept-Encoding: gzip, deflate, sdch, br' -H 'Accept-Language: en-US,en;q=0.8' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36' -H 'Accept: /' -H 'Cache-Control: no-cache' -H 'Referer: http://localhost:9000/' -H 'Connection: keep-alive' -H 'Access-Control-Request-Headers: accept, authorization, content-type' --compressed

You can import this in postman and have a look on it. This request is sent by angular app.

Hope this helps.

At the end I decided to add in my middleware this method:

private void AddCors(HttpContext context)
{
    context.Response.Headers.Add("Access-Control-Allow-Headers", 
        new string[] { "Authorization", "Content-Type" });
    context.Response.Headers.Add("Access-Control-Allow-Methods", 
        new string[] { "OPTIONS", "POST", "GET", "DELETE", "PUT" });

    IEnumerable<string> allowedUrls = new List<string>()
    {
        "http://localhost:8100", 
        "http://localhost:9000"
    };

    if (allowedUrls.Count() > 0)
    {
        foreach(string x in allowedUrls)
        {
            var origin = context.Request.Headers.FirstOrDefault(
                key => key.Key == "Origin");
            var found = x.ToLower() == origin.Value.ToString().ToLower();
            if (found)
            {
                context.Response.Headers.Add("Access-Control-Allow-Origin", 
                    new string[] { origin.Value });
            }
        }
    }

    return;
}

EDIT:

This was good, but in the logic it not worked as I needed, so I ended up with this in my middleware class, and this works fine:

// Add CORS to every response
context.Response.Headers.Add("Access-Control-Allow-Headers", 
    new string[] { "Authorization", "Content-Type" });
context.Response.Headers.Add("Access-Control-Allow-Methods", 
    new string[] { "OPTIONS", "POST", "GET", "DELETE", "PUT" });
context.Response.Headers.Add("Access-Control-Allow-Origin", "*");

if (context.Request.Method.Equals("OPTIONS", StringComparison.Ordinal))
{ 
    context.Response.StatusCode = 204;
    return _next(context);
}

thx

Blag
  • 5,818
  • 2
  • 22
  • 45
Wasyster
  • 2,279
  • 4
  • 26
  • 58
  • *"this should work, but not"* You need to [edit] to add details about how you tested it and why it "but not" –  Aug 08 '16 at 20:36
  • I finnaly added my method in my middleware. Edited my post. – Wasyster Aug 09 '16 at 17:59
  • @Wasyster Vow, why add so much code? Isn't MVC already doing this for you? – Kiran Aug 09 '16 at 18:01
  • Belive or not, its not doing and I included everything. Tried every combination to figure out, and never worked. – Wasyster Aug 09 '16 at 18:31
  • For the benefit of searchers, I had a similar problem with CORS - posted my answer here -> http://stackoverflow.com/a/40286658/852806 – JsAndDotNet Oct 27 '16 at 14:23
  • Possible duplicate of [How to enable CORS in ASP.NET Core](https://stackoverflow.com/questions/31942037/how-to-enable-cors-in-asp-net-core) – Michael Freidgeim May 02 '18 at 21:20

2 Answers2

3

In my application (which has angular2 as frontend), I am doing it following way-

        app.UseCors(builder => {
            builder.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader();
        });

Refer this for more information - https://docs.asp.net/en/latest/security/cors.html

See if this helps.

Sanket
  • 19,295
  • 10
  • 71
  • 82
  • This was exactly what I needed for my Angular2 app too, the link was the gravy that helped explain why those additional methods made is "just work". +1 – Jon Peterson Nov 10 '16 at 15:01
1

You should read the following article to get a good understanding of how Cors can be used in ASP.NET 5.

https://docs.asp.net/en/latest/security/cors.html

Basically UseCors registers a Cors middleware to handle Cors related requests. But you actually need NOT register it in your case as MVC has built-in components (filters) which take care of it in a similar fashion. The Cors middleware is useful in scenarios where you do not want to use MVC.

So for you scenario, remove the UseCors registration and if you take a look at the above link, you can see that to enable global Cors policy, you can do something like below:

services.Configure<MvcOptions>(options =>
{
    options.Filters.Add(new CorsAuthorizationFilterFactory("AllowAll"));
});
Kiran
  • 56,921
  • 15
  • 176
  • 161
  • You would need to provide more information in that case. How does the request look like over the wire, the action you are trying to hit etc. – Kiran Aug 08 '16 at 20:57