1

In my ASP.Net Core 2.2 setup I have a method to create an "allow all" CORS policy

public static IServiceCollection AddAllowAllCors(this IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddPolicy("AllowAll", builder =>
        {
            builder.AllowAnyHeader()
                    .AllowAnyMethod()
                    .AllowCredentials()
                    .SetIsOriginAllowed(_ => true);

        });
    });
    return services;
}

Which is added in ConfigureServices:

public void ConfigureServices(IServiceCollection services)
{
...
    services.AddAllowAllCors();
...
}

Which I activate in my Configure method:

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    ...
    app.UseCors("AllowAll");
    ...
}

When I try to make a PUT request from my React app, the OPTIONS request looks like this in Chrome: OPTIONS request

But the actual PUT request fails with a 405: PUT request

This is despite the fact that the Access-Control-Allow-Origin header in the OPTIONS response to be allowed. This worked in 2.1 but doesn't in 2.2. The exact error message is:

Access to fetch at 'MY_REQUEST_URI' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

I've also tried removing AllowCredentials() in the policy but that didn't make a difference.

brimble2010
  • 17,796
  • 7
  • 28
  • 45
  • I think error messages by default will not have the CORS policy attached to them. So the CORS error is just a symptom of the fact that it seems to think there's no handler for PUT requests to that endpoint. Any chance you have it set as an `[HttpPost]` instead of an `[HttpPut]` – Eric Damtoft Feb 25 '19 at 22:14
  • It looks like ASP.net core will respond to an `OPTIONS` request with Access-Control-Allow-Methods as whatever the Access-Control-Request-Method header is set to regardless of if a handler for that specific method actually exists – Eric Damtoft Feb 25 '19 at 22:15
  • I just tested it with `OPTIONS` and `Access-Control-Request-Method: INVALID_METHOD` and the options request came back as 204 with `Access-Control-Allow-Methods: INVALID_METHOD` – Eric Damtoft Feb 25 '19 at 22:16
  • Can you add .Build() to end of the builder then try again? – Hasan Feb 26 '19 at 05:39
  • Adding `.Build()` doesn't make a difference (I just tested that) and the docs don't use it either. – brimble2010 Feb 26 '19 at 08:51
  • 1
    Can you provide a [mcve] for this? – Kirk Larkin Feb 26 '19 at 09:40

3 Answers3

0

Looks like your CORS configuration is ok. But there is no actual PUT handler. You should check your API with some kind of rest client like postman or ARC first of all and then think about CORS.

Alex Lyalka
  • 1,484
  • 8
  • 13
  • What do you mean by CORS handler? I have a controller that handles PUT requests. As I mentioned in my question, this was working fine with PUT requests before upgrading to netcore2.2 – brimble2010 Feb 26 '19 at 08:41
0

A combination of turning off the new Endpoint Routing feature and disabling the WebDav module in IIS fixed this issue for me. I believe that because of Endpoint Routing, my preflight requests were actually being handled by the WebDav module and not by my app.

To turn off Endpoint Routing, set the flag to false in .AddMvc():

services.AddMvc(options =>
    {
        ...other options
        options.EnableEndpointRouting = false;
    })
brimble2010
  • 17,796
  • 7
  • 28
  • 45
-1
public static IServiceCollection AddAllowAllCors(this IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddPolicy("AllowAll", builder =>
        {
            builder.AllowAnyHeader()
                    .AllowAnyMethod()
                    .AllowCredentials()
                    .AllowAnyOrigin();

        });
    });
    return services;
}
prisar
  • 3,041
  • 2
  • 26
  • 27
  • 1
    Using both `AllowAnyOrigin` and `AllowCredentials` is no longer allowed in ASP.Net Core 2.2: [CORS docs](https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-2.2#set-the-allowed-origins) – brimble2010 Feb 26 '19 at 08:40