I have a .NET Core 2.1 app and I've added a CORS policy in ConfigureServices:
services.AddCors(options => options.AddPolicy("CorsPolicy",
builder =>
{
builder.AllowAnyMethod().AllowAnyHeader()
.WithOrigins("http://localhost:4200")
.AllowCredentials();
}));
and then in Configure:
app.UseCors("CorsPolicy");
Locally, this works great. When I deploy to my Azure Web App, it doesn't work. My client gets:
"Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'"
I can recreate that exact error by removing the .AllowCredentials() line locally.
I understand from the docs that Azure CORS takes over any code CORS:
"Don't try to use App Service CORS and your own CORS code together. When used together, App Service CORS takes precedence and your own CORS code has no effect."
I can't seem to stop Azure Web Apps from taking over. I've tried removing CORS using the CLI but I can't fully get rid of it.
az resource update --name web --resource-group MyGroup --namespace Microsoft.Web --resource-type config --parent sites/MySite --set properties.cors.allowedOrigins="" --api-version 2015-06-01
All that does is set the allowedOrigins to null. But it's still taking over. How can I remove all traces of CORS from Azure so only my code is used? Or, worst case scenario, how can I do the equivalent of "AllowCredentials" in Azure?
