How to fix "The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time" error

Question

I've already enabled CORS on the project in C# .net Core

In startup.cs I've added lines

...
services.AddCors();
...
app.UseCors(builder => builder
    .AllowAnyOrigin()
    .AllowAnyMethod()
    .AllowAnyHeader()
    .AllowCredentials());

But when I try to use API in another Blazor project I see in logs in my API project on Host this error

The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time. Configure the policy by listing individual origins if credentials needs to be supported

My code in Blazor

using (HttpClient http = new HttpClient()) {
  http.DefaultRequestHeaders.Add("Authorization", "Token");
   var response = await http.GetStringAsync("https://example.com?prm=2");
   Console.WriteLine(response);
   dynamicContent = response;
}

Before I enable Cors I see another error in the browser console

What can I change for solving it?

The error is pretty clear. You can't specify `*` for the origin when using credentials. Set the origin to your server's actual domain name. Also, these headers must be set *by the server*, not in your client headers. — , Dec 07 '18 at 19:41
I already told you the solution, as does the error message. Again, "Set the origin to your server's actual domain name." — , Dec 07 '18 at 19:42
Instead of “*” please put “https://example.com” (including protocol) as suggested by Amy.. The limitation is only 1 external domain can be specified.. — estinamir, Dec 07 '18 at 20:09
Again, this needs to be set **on the server**, not in your client. — , Dec 07 '18 at 20:23
May be try going with this approach: https://stackoverflow.com/a/44379971/10634638 — estinamir, Dec 07 '18 at 20:41
@daniherrera Yes, You are right. It's probably a host's problem because now I've tried to call another API server and it's work well. Maybe I need to config nginx — Igor Cova, Dec 08 '18 at 12:12
@daniherrera @amy I've solved it just drop `http.DefaultRequestHeaders.Add("Access-Control-Allow-Origin", "*");` and in row `var response = await Http.GetStringAsync("https://example.com?prm=2");` change `Http` to `http` — Igor Cova, Dec 08 '18 at 12:18
You can follow this link, it's work for me: https://mykkon.work/how-to-setup-any-origin/ — Truc, Mar 25 '20 at 10:01

score 110 · Answer 1 · edited Jan 08 '20 at 19:46

110

I had the same issue and I removed AllowCredentials() that fixed the issue for me.

edited Jan 08 '20 at 19:46

granadaCoder

26,328
10
113
146

answered Sep 14 '19 at 07:55

Nicola Di Lillo

1,761
1
11
9

13

Yes, this was applicable for me when upgrading from Asp.Net Core 2.1 to Asp.Net Core 3.1 – Ralph Willgoss Feb 14 '20 at 10:34
1

Thanks, one bug less while upgrading to Net Core 3.1 from Net Core 2.2 :) – Fellow7000 Jun 15 '20 at 23:26
Thanks. That was the issue for me also! – Calin Vlasin Jun 12 '21 at 15:09

score 61 · Accepted Answer · edited May 05 '20 at 00:47

You should have provided the rest of your code... Is this a Blazor client application or Razor Components application (formally known as Server-Side Blazor) ? I guess this is a Blazor client application, right ? Why do you instantiate an HttpClient ? You should use DI (Perhaps Constructor Injection) instead, injecting an HttpClient instance provided by Blazor itself.

The problem is probably server side, though it surfaces as a client one... Try the following:

Get https://www.nuget.org/packages/Microsoft.AspNetCore.Cors/

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddPolicy("CorsPolicy",
            builder => builder.AllowAnyOrigin()
                .AllowAnyMethod()
                .AllowAnyHeader());
    });
     .....
}

And this:

public void Configure(IApplicationBuilder app, IHostingEnvironment env)    
{
      app.UseCors("CorsPolicy");
}

Note, once again: CORS needs to be enabled on the server side, not in blazor. See https://learn.microsoft.com/en-us/aspnet/core/security/cors for details on how to enable CORS in ASP.NET Core.

Blazor:

 @page "/<template>"
 @inject HttpClient Http


@functions {

    protected override async Task OnInitAsync()
    {
        var response= await Http.GetJsonAsync<string>    
                      ("https://example.com?prm=2");

    }

}

Hope this helps...

Credentials cannot be used with any origin. See the comments on the question. — , Dec 07 '18 at 21:41
On the server, I have .net Core API project - and now I develop Blazor client project. In my question is shown that I add and use Cors. It's not help me — Igor Cova, Dec 08 '18 at 05:28

Konstantin Nikolskii · Answer 3 · 2020-04-22T07:56:31.247

61

It's little bit late, but I hope it could be helpful for someone.

If you want AllowCredentials() and AllowAnyOrigin() together just use SetIsOriginAllowed(Func<string,bool> predicate)

doc about IsOriginAllowed

        services
            .AddCors(options =>
            {
                options.AddPolicy("CorsPolicy",
                    builder => builder
                    .AllowAnyOrigin()
                    .AllowAnyMethod()
                    .AllowAnyHeader()
                    );

                options.AddPolicy("signalr",
                    builder => builder
                    .AllowAnyMethod()
                    .AllowAnyHeader()

                    .AllowCredentials()
                    .SetIsOriginAllowed(hostName => true));
            });

edited Apr 22 '20 at 07:56

answered Feb 27 '20 at 08:35

Konstantin Nikolskii

1,075
1
12
17

12

This should be accepted answer, allows AnyOrigin and Credentials at the same time. – tomec Mar 02 '20 at 14:00
3

This is very dangerous if the server is publicly accessible, see https://ejj.io/misconfigured-cors/ – Mike Rosoft Jul 14 '21 at 15:23

score 49 · Answer 4 · answered Mar 04 '20 at 11:16

49

I also faced same issue, and I found solution here:

Setup Any Origin And Any Credentials

Change your CORS setup in startup.cs file like this

public void ConfigureServices(IServiceCollection services)
{
    // ...
    services.AddCors(options =>
    {
        options.AddDefaultPolicy(builder => 
            builder.SetIsOriginAllowed(_ => true)
            .AllowAnyMethod()
            .AllowAnyHeader()
            .AllowCredentials());
    });
}

It works for me.

answered Mar 04 '20 at 11:16

Kurniawan Prasetyo

669
6
5

1

I had to add "app.UseCors" under Configure in Startup.cs to get this to work – reggaeguitar Apr 13 '20 at 18:11
Thanks Kurniawan Prasetyo. Your solution has worked for me! :) – Mily Aug 03 '20 at 09:04
OMG, I love you I have been searching for something like this last 2 days! – Andrew Black Oct 22 '20 at 15:20

score 19 · Answer 5 · answered Nov 07 '20 at 19:26

Step 1 Install nuGet package :
Microsoft.AspNetCore.Cors

Step 2 add

services.AddCors();

in startup.cs under ConfigureServices

Step 3 add

    app.UseCors(x => x
                .AllowAnyMethod()
                .AllowAnyHeader()
                .SetIsOriginAllowed(origin => true) // allow any origin
                .AllowCredentials());

in startup.cs under Configure

score 8 · Answer 6 · answered May 08 '20 at 18:29

You cannot use both AllowAnyOrigin() and AllowCredentials() at the sametime so change your code to:

...
services.AddCors();
...
app.UseCors(builder => builder
    .WithOrigins("https://example.com")
    .AllowAnyMethod()
    .AllowAnyHeader()
    .AllowCredentials());

score 2 · Answer 7 · answered Nov 03 '20 at 09:03

I had the same issue, the problem was solved by removing slash( / ) from the ending of URL, because I always copy and paste urls from chrome browser and it has the / at the end :

  .WithOrigins("https://localhost:60576/")  // not working

but

  .WithOrigins("https://localhost:60576")  // working  !!!

How to fix "The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time" error

7 Answers7

Linked