0

I have a CORS problem in my ASP .net core MVC application. My Framework version is .net core 3.1

I want to make a request to our Jira Server, so I need to add CORS. My Startup looks like followed:

public void ConfigureServices(IServiceCollection services)        {
        ...    
        services.AddCors(options =>
        {
            options.AddPolicy(
                "MyPolicy", builder =>
                {
                    builder.WithOrigins("https://jira.server.com").AllowAnyHeader().AllowAnyMethod().AllowCredentials();
                });
        });

    }

public async void Configure(IApplicationBuilder app, IHostingEnvironment env, AuthorizationDbContext context, RoleManager<IdentityRole> roleManager, UserManager<User> userManager)
    {   
        ...

        app.UseRouting();
        app.UseCors("MyPolicy");

        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllerRoute("default", "{controller=Home}/{action=Index}/{id?}");


    }

My xmlHttpRequest looks like this:

    var data = { "fields": { "project": { "key": "projectName" }, "summary": "Test", "description": "Test", "issuetype": { "name": "Bug" }, "fixVersions": [{ "name": "Ideenpool" }] } }

    var xhr = new XMLHttpRequest();
    xhr.onreadystatechange = function() {

    };
    xhr.open("POST", "https://jira.server.com/api/2/issue", true);
    xhr.withCredentials = true;
    xhr.setRequestHeader("Content-Type", "application/json");
    xhr.setRequestHeader("Access-Control-Allow-Origin", "https://jira.server.com");
    xhr.setRequestHeader("Authorization", "Basic " + btoa("username:password"));
    xhr.send(data);

I alway get the error: Access to XMLHttpRequest at 'https://jira.server.com/api/2/issue' from origin 'https://localhost:44301' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I tried to allow all Origins and put a "*" in my request, but always the same error. My curl request in cmd works.

Has anyone an Idea? What am I missing?

Best regards Sebastian

shermes
  • 11
  • 1
  • 2

1 Answers1

0

As per the official documentation, it must be noted that:

Specifying AllowAnyOrigin and AllowCredentials is an insecure configuration and can result in cross-site request forgery. The CORS service returns an invalid CORS response when an app is configured with both methods. The HTTP response includes an Access-Control-Allow-Credentials header, which tells the browser that the server allows credentials for a cross-origin request.

If the browser sends credentials but the response doesn't include a valid Access-Control-Allow-Credentials header, the browser doesn't expose the response to the app, and the cross-origin request fails.

Allowing cross-origin credentials is a security risk. A website at another domain can send a signed-in user's credentials to the app on the user's behalf without the user's knowledge. The CORS specification also states that setting origins to "*" (all origins) is invalid if the Access-Control-Allow-Credentials header is present.

If you are specifying builder.WithOrigins("https://jira.server.com"), you don't need to specify 'AllowCredentials()'. Take a look at github issues here and here

To get it work, try this code:

public void ConfigureServices(IServiceCollection services)        {
        ...    
        services.AddCors(options =>
        {
            options.AddPolicy(
                "MyPolicy", builder =>
                {
                    builder.WithOrigins("https://jira.server.com").           
                            AllowAnyMethod().
                            AllowAnyHeader();
                          //AllowCredentials();
            });
    });
}
Sahil Sharma
  • 1,813
  • 1
  • 16
  • 37
  • Thank you for your answer. But I still get the same error, when I remove AllowCredentials(). I don't want to use AllowAnyOrigin() either, it was just an attempt. – shermes Jun 10 '20 at 08:04