1

I am trying to enable CORS support in a Web API application. In my WebApiConfig.cs file, I have the following code:

var cors = new EnableCorsAttribute(origins: "http://localhost:19509",
                                               headers: "*",
                                               methods: "*");
config.EnableCors(cors);

However, this didn't work. I've tried every suggestion from the following links, but they don't work either:

I created an empty project with no authorization/authentication/security implementation and tried hitting this empty project from my front end, and that worked. Based on this, I believe that the front end implementation is fine.

Is there a specific package which might be causing this issue, or anything else I need to change?

It runs when i try with a cors disabled Chrome browser.

//Updating the Question after implementing CORS in StartUp.cs file.

I tried applying cors in StartUp.cs file also but No luck. Below is my code in StartUp.cs file.

using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Abstractions;
using Microsoft.Owin;
using Owin;
using System.Web.Services;
using Microsoft.Extensions.DependencyInjection.Extensions;
using Microsoft.AspNetCore.Cors;

namespace xyz
{
    public partial class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            ConfigureAuth(app);
        }
    }
}
sharad jain
  • 113
  • 1
  • 10
  • see my updated answer. Basically if it works when cors is off in the browser, it means the server is adding the Cors headers fine, you're just making a request from a domain that's not listed. e.g you haven't white listed https. Or you're trying to make a request from a completely different domain. – johnny 5 Oct 29 '20 at 14:26

2 Answers2

1

  1. You should probably whitelist https://.

  2. You should probably configure cors from from the Startup.

  3. You may need to configure cors to AllowCredentials

    options.AddPolicy("Default", builder =>
{
   builder.WithOrigins("http://localhost:19509")
        .WithOrigins("https://localhost:19509")
        .AllowCredentials()
        .AllowAnyHeader()
        .AllowAnyMethod();
});

Then you need to add the cors policy to the app so it's applied to each request

public void Configure(IApplicationBuilder app)
{
    app.UseCors("Default");
}

On a side note during development phase, you can open up the cors policy and slowly start restricting it as you learn.

EDIT

"It runs when I try with a cors disabled Chrome browser."

The browser is the one to enforce cors. If it only runs when cors is disabled, it means the cors headers are being added properly from the server.

It sounds like your issue is the client. It sounds like either you're trying to make a call from the client, with a domain different than localhost:19509, OR at some point during the login process you're using Https which you haven't configured in your updated example.

johnny 5
  • 19,893
  • 50
  • 121
  • 195
  • tried doing that too but i am not able to get the required assembly 'Microsoft.Extensions.DependencyInjection' . It is visible in the references section but not able to import. Has it anything to do with security? – sharad jain Oct 28 '20 at 13:43
  • @sharadjain what do you mean you cannot get the required assembly? What version of .net/net-core are you using. Can you post your startup.cs file? – johnny 5 Oct 28 '20 at 13:45
  • I am referring below link considering your suggestion : https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-3.1 But after sorting out all assembly mistakes, Now it says that IserviceCollection does not contain a definition for AddCors method. StartUp.cs : public void ConfigureServices(IServiceCollection services) { services.AddCors(options => { options.AddPolicy("Default", builder => { builder.WithOrigins("http://localhost:19509").AllowCredentials().AllowAnyHeader().AllowAnyMethod(); }); }); – sharad jain Oct 28 '20 at 14:24
  • please update the question to additionally contain the Startup.Cs and the error you're receiving now, and the error details. I'll update the answer – johnny 5 Oct 28 '20 at 14:37
  • Hi, i tried your suggested point related to startup file but that didn't work. I just figured out that my issue is related to Anonymous authentication, If i enable it , issue gets fixed, If i disable the anonymous authentication ,Cors issue occurs. My project requirement is to keep Windows authentication enabled only. – sharad jain Oct 30 '20 at 12:21
  • @sharadjain so did you fixed it? – johnny 5 Oct 30 '20 at 13:49
  • No, could not fix it yet – sharad jain Nov 01 '20 at 12:09
0

So finally i am posting the steps which i did to resolve the issue and run my solution with Windows Authentication:

1)Install IIS Cors module.

2)IIS Settings in my case were to keep only Windows Authentication enabled and disable the anonymous authentication .

3)Add below Tags in Your API's Web.config.

<system.webServer>
      <cors enabled="true">
          <add origin="<<>Your Origin>" allowed="true" />
      </cors>
      <httpProtocol>
          <customHeaders>
              <add name="Access-Control-Allow-Headers" value="Content-Type" />
              <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
              <add name="Access-Control-Allow-Credentials" value="true" />
          </customHeaders>
      </httpProtocol>

4)If in case you get 401 Error now that means , You need to setup authorization also, A simple solution would be to add credentials with the request.

sharad jain
  • 113
  • 1
  • 10