I cannot get around the "No 'Access-Control-Allow-Origin' header is present on the requested resource" problem

Question

I have a WebApi done with .net core 3.1. It's hosted in the IIS in my laptop. At the same time I developed an angular UI and published it in the same IIS. Same IIS but each application has it's own port. When I insert a new record from the ui, it is done successfully, meaning the POST is successful. If I try to modify it, meaning a PUT, It does not go through. Seeing the developer tools in the browser, the console displays a message saying the Access to XMLHttpRequest at 'http://blablabla.com:777/api/items/333' from origin [the web application url goes here which is something like http://blablabla.com:778] has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. I have tried what I found in this website. Meaning that I modified the Startup.cs adding this in the ConfigureServices:

services.AddCors(options => {
                options.AddPolicy(name: "Policy1", builder => {
                    builder.AllowAnyOrigin().AllowAnyMethod().WithHeaders(HeaderNames.ContentType, "Access-Control-Allow-Origin");
                });
                options.AddPolicy(name: "Policy2", builder => {
                    builder.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader();
            });
                options.AddPolicy(name: "Policy3", builder => {
                    builder.WithOrigins("http://name.com:7771").AllowAnyHeader().AllowAnyMethod();
                });
            });

and this in the Configure method (after app.UseRouting();):

       app.UseCors("Policy2");

I have no idea about what else to try.

Answer 1

After some time of full of frustration with this problem I finally found a solution.

Having this problem when trying to update (PUT). I can insert (POST) without any problem.

Access to XMLHttpRequest at 'http://superinspections.com:8000/api/Cities/12962' from origin 'http://superinspections.com:8001' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Access to XMLHttpRequest at from origin has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Solution: In IIS version 10:

click on the website you are having the access origin problem with (the back end) and double click on HTTP Reaponse Headers icon. Add the following entries: Access-Control-Allow-Headers with valut * Access-Control-Allow-Methods with value POST, PUT, GET, OPTIONS Access-Control-Allow-Origin with value *

This will add the following to the web.config file of that site:

    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <add name="Access-Control-Allow-Origin" value="*" />
                <add name="Access-Control-Allow-Headers" value="*" />
                <add name="Access-Control-Allow-Methods" value="POST, PUT, GET, OPTIONS" />
            </customHeaders>
        </httpProtocol>
    </system.webServer>

After running the progran I did not have the Access-Control-Allow-Origin problem but I had a new message: HTTP 405 Method Not Allowed. To solve this I found the solution here:

Web API Put Request generates an Http 405 Method Not Allowed error

And tha solution was to remove the WebDAV module with the following entry in the web config files in both, front end and back end.

Place this inside <system.webServer>.

<modules runAllManagedModulesForAllRequests="true">
    <remove name="WebDAVModule"/> <!-- add this -->
</modules>

and add this to the handlers section:

<handlers>
    <remove name="WebDAV" />
    ...
</handlers>

After that, the application was working as expected. I need to add that I needed to keep the cors configuration in the Startup.cs.

In the ConfigureServices:

        services.AddCors(options =>
            {
                options.AddPolicy("CorsPolicy",
                    builder => builder
                    .AllowAnyMethod());
            });

And in the configure, between app.UseRouting() and app.UseAuthentication()

        app.UseCors("CorsPolicy");

and the attribute [EnableCors("CorsPolicy")] in the controllers that may need it.

For what I need, which is development and testing of an Angular application, this is sufficient. You may play with the Cors configuration in the client in order to get rid of the server setup, as I will do when I complete the development. But the WebDAV part I think that is unavoidable.

One thing I need to add is that the web config changes go away if you republish your back end.

Any comments will be appreciated. Specially an explanation of what is WebDAV.