0

I have two applications:

WebAPI in .NET Core 2.0

Frontend MVC in .NET Core 2.0 which uses javascript to send post requests.

In both start ups I have

ConfigureServices
services.AddCors();
services
 .AddMvc()
 .AddFluentValidation(fv => fv.RegisterValidatorsFromAssemblyContaining<Startup>());


Configure
app.UseDeveloperExceptionPage();
app.UseAuthentication();

app.UseCors(builder => builder
      .AllowAnyOrigin()
      .AllowAnyMethod()
      .AllowAnyHeader()
      .AllowCredentials()
      );

app.UseMvc();

But still in browser's console it shows

"Same Origin Policy" does not allow you to load remote resources from "http://10.1.5.6:12345/test/add". (missing CORS headline "Access-Control-Allow-Origin")

UbuntuCore
  • 409
  • 7
  • 20

2 Answers2

0

When you specify .AllowCredentials() then you need to add .WithOrigins("http://frontenddomain"). this will add specific domain in Access-Control-Allow-Origin header.

else remove .AllowCredentials() then AllowAnyOrigin() will work because this will add * in header.

Browser doesn't allow credential to pass auth cookies with * origin. So depending on your use case either use AllowCredentials + WithOrigins or use only AllowAnyOrigin

Kaushal
  • 1,251
  • 1
  • 8
  • 8
  • With only ``AllowAnyOrigin`` Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin is therefore not allowed access. – UbuntuCore Aug 09 '18 at 10:45
  • For your use case, use .WithOrigins("http://frontenddomain") instead of .AllowAnyOrigin – Kaushal Aug 09 '18 at 10:47
  • But if request comes from javascript, thus user, so what Origins I gotta use? – UbuntuCore Aug 09 '18 at 10:47
  • Origin of Frontend MVC project. https://stackoverflow.com/questions/10883211/deadly-cors-when-http-localhost-is-the-originmay help if its localhost Or you can even add some test host entry (ex: mytest.com) in /etc/hosts which will redirect to localhosts – Kaushal Aug 09 '18 at 10:48
  • I'm connecting from my PC to virtual machine that has 2x port-forward and two reverse proxies (to front and to backend) but even on Firefox it doesn't like my (or actually any...) CORS settings. On chrome it works from time to time, but in other cases it throws cors errors. – UbuntuCore Aug 09 '18 at 12:30
  • Try specifying scheme "://" frontendip [ ":" port ]. Example for your api you have http://10.1.5.6:12345... whatever ip:port you using to browse your front end, set that as origin ex- http://10.1.5.6:5555 if your front end is on 10.1.5.6:5555. https://tools.ietf.org/html/rfc6454#section-7.1 – Kaushal Aug 09 '18 at 13:01
  • Nothing's working for me, huh. I'd want to mention once again, that from my fronted requests are send via javascript, so as an user, not frontend server. "this.$http.post('http://API:55555/users/login', this.user)" - Everything works fine when Im running front and backend on my pc, not vm over network. – UbuntuCore Aug 09 '18 at 13:28
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/177738/discussion-between-kaushal-and-ubuntucore). – Kaushal Aug 09 '18 at 13:44
0

Please go throw that u must get answer [Cors full details for .net core]

https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-2.1

In Your Case

options.AddPolicy("AllowAllMethods",
builder =>
{
    builder.WithOrigins("http://example.com")
           .AllowAnyMethod();
});
Arvind Singh
  • 71
  • 1
  • 3