4

I'm using Visual Studio to publish an ASP.NET Core 2.1 app to AWS Lambda (serverless). No matter what I've tried I cannot get CORS to work.

All I really want to do is add the header access-control-allow-origin globally to my web app.

Has anyone ever successfully added headers to an ASP.NET Core 2.1 Serverless app?

Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    // AddCors must be before AddMvc
    services.AddCors();

    services.AddMvc()
        .SetCompatibilityVersion(CompatibilityVersion.Version_2_1)
    );
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    // UseCors must be before UseMvc
    app.UseCors(builder => builder
        .AllowAnyOrigin()
        .AllowAnyMethod()
        .AllowAnyHeader()
        .AllowCredentials()
    );
    // Also tried this
    // app.UseCors(
    //    o => o.WithOrigins("http://example.com").AllowAnyMethod()
    //);

    app.UseMvc();
}

No CORS headers are added to my pages. I'm using Chrome dev tools to inspect my headers. I should see them on the homepage (for example) correct?

Any ideas? I'm dyin over here. Thanks!

EDIT

This application only uses API Gateway, Lambda and a few other services. It's great because I'm only charged when someone hits my app. There are no hourly charges. No EC2 or ELB which is amazing.

Also, I almost added this to my original post. The article @sturcotte06 references has a gotcha.

The API Gateway (automatically generated) uses the ANY method in a proxy integration. The above article says this...

Important

When applying the above instructions to the ANY method in a proxy integration, any applicable CORS headers will not be set. Instead, your backend must return the applicable CORS headers, such as Access-Control-Allow-Origin.

Ugh! So it's saying I must do this on the backend (Startup.cs right?) which is exactly what seems to get ignored when published.

Joe Hakooz
  • 573
  • 1
  • 5
  • 18
  • I'm not sure, but isn't the whole idea of serverless not to have a server? ELB should be adding the CORS headers, not your app. Like, if you have asp.net core in your projet, it means you have a host, which means you're serverful. You can even see the `IHostingEnvironment` appearing in your app... – Jazzwave06 Nov 21 '19 at 17:49
  • VS just creates a bunch of Lambda code. Somehow it magically converts pretty complex C# and it just works. Adding headers through Startup.cs should be no different I would think. – Joe Hakooz Nov 21 '19 at 17:53
  • Check after removing `AllowCredentials()`? Also, have you added `CompatibilityVersion` during `AddMvc` call? – user1672994 Nov 21 '19 at 17:53
  • @user1672994, I have been using CompatabilityVersion and tried several variations of UseCors. I updated my source code above. Thx – Joe Hakooz Nov 21 '19 at 17:59
  • Try to add an arbitrary header in your controller. I'm pretty sure the response from a lambda is an object, not an HTTP response. Elastic load balancer is responsible for sending an HTTP response back to the client. I would look for the ELB configuration for CORS if I were you. (Or cloudfront or whichever web server handles lambda traffic) – Jazzwave06 Nov 21 '19 at 18:01
  • https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html – Jazzwave06 Nov 21 '19 at 18:03
  • Thanks for the suggestions. I've added an edit with more info... – Joe Hakooz Nov 21 '19 at 18:17
  • Don't you need to map the allowed headers in the api gateway? Click on your endpoint and check method request and integration request. – RandomUs1r Nov 21 '19 at 18:22
  • @RandomUs1r, that's what I thought, but check out the yellow "Important" message in my post. AWS says it won't work for the ANY method which is exactly my case. – Joe Hakooz Nov 21 '19 at 18:24
  • Quick sanity check... Getting this to work on localhost bypasses any issues that may occur with API Gateway, correct? It doesn't currently work on localhost so maybe my issue is elsewhere? - EDIT scratch that. It does work on localhost. – Joe Hakooz Nov 21 '19 at 18:35
  • credentials + any origin is not supported by cors. – Daniel A. White Nov 21 '19 at 18:56
  • @Joe Hakooz I think you need to do both, return it from your app and set it as a header in the api gateway? – RandomUs1r Nov 21 '19 at 20:12
  • @RandomUs1r yeah it's looking more and more like my ultimate problem is getting API Gateway to add the headers. I'm deep in the rabbit hole right now. – Joe Hakooz Nov 21 '19 at 20:31

1 Answers1

1

For whatever reason app.UseCors does not work in my scenario. However, app.Use does...

app.Use((context, next) =>
{
    context.Response.Headers["Access-Control-Allow-Origin"] = "https://example.com";
    return next.Invoke();
});

app.UseMvc();
Joe Hakooz
  • 573
  • 1
  • 5
  • 18
  • This worked for me, but I also had to add 2 more headers, "Access-Control-Allow-Methods", and "Access-Control-Allow-Headers" with defined headers. See this answer: https://stackoverflow.com/a/38259193/10237271 – Derek Kim Feb 06 '23 at 16:41