2

I have an ASP.NET MVC and REST Web API written in C#. A few days back we have upgraded the framework version for both ASP.NET MVC and Web API from 4.5 to 4.7.2 and after that, it is continuously throwing CORS error saying my ASP.NET MVC URL is not able to call REST

No 'Access-Control-Allow-Origin' header present on the requested resource

The interesting part is that when we started this project a few years back we have already configured the fix which is mentioned in this Answers and is working fine up to this point.

I even tried other answers from that question but it still throwing the same error. I even upgraded all NuGet packages but facing the same issue.

I am calling API from my ASP.NET MVC app via Ajax.

Here is my Global.asax.cs file configuration

protected void Application_BeginRequest()
    {
    HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");

        if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
        {
            //These headers are handling the "pre-flight" OPTIONS call sent by the browser
            HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS,");
            HttpContext.Current.Response.AddHeader("Access-Control-Max-Age", "1728000");
            HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "userId,ApiKey");
            HttpContext.Current.Response.End();
        }
    }

I am missing any configuration?

Harshal Bulsara
  • 7,898
  • 4
  • 43
  • 61
  • Have you reverted back to the old versions, to confirm, that this infact caused the issue? In any case, we would need your configuration to validate this for our self. – Marco Feb 01 '21 at 05:57
  • @Marco Yes I have and it worked correctly. In fact, it also works with the upgraded MVC version and old API build. – Harshal Bulsara Feb 01 '21 at 06:12
  • Then we will need your api config to validate this for our self. Without seing the code, it's all guesswork. – Marco Feb 01 '21 at 06:17
  • Rough guess - is `CompatibilityVersion` need to be set? [SetCompatibilityVersion](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.compatibilityversion?view=aspnetcore-5.0) – user1672994 Feb 01 '21 at 06:22
  • @user1672994 I am not using .netcore – Harshal Bulsara Feb 01 '21 at 06:44
  • Check the target version in project properties and try Net 4,5. You are using HTTP connection so check if your URL is HTTP or HTTS (secure which uses TLS). Are you using any third party libraries? The libraries may need updating. Did you do clean builds on all libraries? Upgrading to new version of Net doesn't automaically rebuild all the intermediate object files. – jdweng Feb 01 '21 at 09:35
  • @jdweng 4.5 is working correctly. All my libraries are updated as well. But, still the same issue. I am using HTTPS. – Harshal Bulsara Feb 01 '21 at 12:07
  • It must be a TLS issue. Try adding at beginning of code : ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; TLS changed in 4.7.2 from using a Net method to using a Operating System method. You may need to update the Operating System or Kernel to latest version. – jdweng Feb 01 '21 at 12:16
  • @jdweng I added what you suggested but still facing the same error – Harshal Bulsara Feb 02 '21 at 06:58
  • See following : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin – jdweng Feb 02 '21 at 09:13
  • Could you try to echo the origin instead of using a wildcard? Like this : HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", Context.Request.Headers["Origin"]); – AardVark71 Feb 03 '21 at 15:26
  • @AardVark71 same error. – Harshal Bulsara Feb 04 '21 at 05:45
  • Two things to try out : 1) If somewhere there is already an invalid origin set, you have to remove it first : **HttpContext.Current.Response.Headers.Remove("Access-Control-Allow-Origin");** **HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", Context.Request.Headers["Origin"]);** 2) Or could it be that you need to add Origin to your allowed headers ? Then add it to Access-Control-Allow-Headers **HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "Origin,userId,ApiKey");** – AardVark71 Feb 04 '21 at 06:50
  • A last advice.... if the above does not work... Do you see anything changed in the headers sent back (4.5 vs 4.7.2)? e.g. when you inspect the headers with chrome – AardVark71 Feb 04 '21 at 06:54
  • in 4.5 I can see that Access-Control-Allow-Headers is sent in response but not in 4.7 – Harshal Bulsara Feb 04 '21 at 07:07
  • do you use allow credentials header also? – ofir elarat Feb 06 '21 at 17:37
  • @ofirelarat no I don't – Harshal Bulsara Feb 08 '21 at 02:35

1 Answers1

4

Here is the reason it stopped working for you after the framework upgrade.

On 4.5.2, Application_BeginRequest will be fired for OPTIONS.
On 4.7.2, Application_BeginRequest won't be fired for OPTIONS.

If you add following to your web.config then Application_BeginRequest will be fired for OPTIONS on 4.7.2.

<system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
</system.webServer>

Source code: https://github.com/ShahJe/MVCOptionsDemo

Shahid Syed
  • 589
  • 3
  • 15
  • It's still throwing the same error. Can you mention the reference just wanted to check – Harshal Bulsara Feb 09 '21 at 03:08
  • Take a look at the repo mentioned on the answer. I put a break point on Application_BeginRequest and noticed it was not hitting break point after I upgraded to 4.7.2. I searched for Application_BeginRequest not firing for OPTIONS and saw someone recommending use of runAllManagedModulesForAllRequests. I added it in web.config and break point started to hit for me on 4.7.2. – Shahid Syed Feb 09 '21 at 15:34