.NET Core 3.1 CORS not working on Ember (3.12) web UI

Question

I am migrating a .NET Core Web API from 2.2 to 3.1. I have followed the Microsoft migration instructions and placed the call to the CORS middleware between UseRouting and UseEnpoints. However, I am still getting CORS errors.

In the ConfigureServices method, I have:

services.AddCors();

In the Configure method, I have:

app.UseRouting();

app.UseCors(options => options
        .AllowAnyOrigin()
        .AllowAnyHeader().AllowAnyMethod()
    );

app.UseAuthentication();

app.UseEndpoints(endpoints =>
{
    endpoints.MapControllers();
});

The console error in the web browser is:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:5000/users/login. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:5000/users/login. (Reason: CORS request did not succeed).

Diagnostics:

I tried following Microsoft's documentation Enable Cross-Origin Requests (CORS) in ASP.NET Core, but it uses outdated references, such as; UseMvc and IHostingEnvironment.

I tried creating a brand new Web API and Ember Web-UI, but that did not work either. You can find a simple example getting-started-with-ember-js-and-net-core-3

Any idea what is causing the problem?

The ideal bounty reward will go to the answer that works. Preferably, a working bare-bones project will be posted on Git.

Note: I am allowing any origin right now just so I can get it to work. Ultimately, this will need to work with a Web-UI that is on http://localhost:4200

Update

The status code received is HTTP 405 - method not allowed. The method in question is an OPTIONS method.

Have you checked the HTTP status code of the response? You can use the Network pane in browser devtools to check. Have you confirmed that it’s a 200 OK success response, rather than a 4xx or 5xx error? — sideshowbarker, Mar 04 '20 at 06:38
HTTP error is 405, Method not allowed. I have added `AllowAnyMethod()` without success. Note, I can submit Postman requests to the back-end and get a response with HTTP 200. — J Weezy, Mar 04 '20 at 06:48
OK yeah then it sounds like that 405 error is in response to the CORS preflight OPTIONS request. You can check the Network pane in browser devtools to confirm that. You should see the HTTP method listed as OPTIONS rather than POST or GET or whatever method your frontend JavaScript code is trying to use. Browsers send the CORS preflight OPTIONS request if your frontend code is trying to add any custom headers to the request, or if your frontend code is using an HTTP method other than GET, POST, or HEAD. — sideshowbarker, Mar 04 '20 at 06:59
If that 405 is in response to the CORS preflight OPTIONS request, then the problem is that the `http://localhost:5000/users/login` server isn’t configured to allow OPTIONS requests. Configuring that server to allow OPTIONS request is something different and separate from the CORS configuration for the server. You may find a solution to the 405 problem in the existing answers at https://stackoverflow.com/a/43461131/441757 or https://stackoverflow.com/a/45623047/441757. — sideshowbarker, Mar 04 '20 at 07:00
You may find a solution to the 405 problem in the existing answers at https://stackoverflow.com/a/43461131/441757 or https://stackoverflow.com/a/45623047/441757 — sideshowbarker, Mar 04 '20 at 07:03
How do I set that up? If memory serves, MVC 5 was the lady to have a web.config file, which was in XML format. I think Core uses appsettings.json. additionally, why is this a problem in .NET Core 3.1 and not 2.2? — J Weezy, Mar 04 '20 at 07:44

J Weezy · Accepted Answer · 2020-03-11T01:00:57.187

12

The .NET Core 2.2 to 3.0 migration document is incorrect. The call to UseCors(); needs to be placed before the UseRouting() function. I went ahead and added it before the UseHttpsRedirection() as I saw that in an implementation on another site.

https://learn.microsoft.com/en-us/aspnet/core/migration/22-to-30?view=aspnetcore-3.1&tabs=visual-studio#migrate-startupconfigure

In ConfigureServices

services.AddCors(options =>
{
    options.AddPolicy("CorsApiPolicy",
    builder =>
    {
        builder.WithOrigins("http://localhost:4200")
            .WithHeaders(new[] { "authorization", "content-type", "accept" })
            .WithMethods(new[] { "GET", "POST", "PUT", "DELETE", "OPTIONS" })
            ;
    });
});

In Configure

app.UseCors("CorsApiPolicy");

//app.UseHttpsRedirection(); 

app.UseJsonApi();

app.UseRouting();

app.UseAuthentication();

app.UseEndpoints(endpoints =>
{
    endpoints.MapControllers();
});

edited Mar 11 '20 at 01:00

answered Mar 05 '20 at 06:29

J Weezy

3,507
3
32
88

3

THANK YOU!!! Microsoft you mongrels. Wasted another 24 hours of my life AGAIN! – Aaron Jun 05 '20 at 23:45
It the best option when you have one global policy in the middleware. But what to do when you want use another CORS policy in particular controller? – krypru Feb 08 '21 at 16:57
You should post a question for this. – J Weezy Feb 12 '21 at 03:53

.NET Core 3.1 CORS not working on Ember (3.12) web UI

1 Answers1