1

I'm trying to get CORS working but I'm getting error "Request origin null does not have permission to access the resource." only when the application is deployed to the server. I have checked the headers and the request does include an "origin" header with the domain of the page that initiated the request, but still I get the above error, as if the header is not being sent as part of the request.

This is the CORS policy I'm using:

      builder.WithOrigins("https://*.mydomain.com")
                    .AllowAnyMethod()
                    .AllowAnyHeader()
                    .AllowCredentials()
                    .SetIsOriginAllowedToAllowWildcardSubdomains();

Everything works locally when using the same configuration. Could it be that a load balancer is removing the header for security? Also I'm using ".AllowCredentials()" on the call to setup CORS in the startup class.

ryudice
  • 36,476
  • 32
  • 115
  • 163
  • Browser always send the Origin header for cross-origin requests — but there are a number of cases in which the browser will end up setting the Origin value to null. See the answer at https://stackoverflow.com/questions/42239643/when-do-browsers-send-the-origin-header-when-do-browsers-set-the-origin-to-null/42242802#42242802. Maybe the case that people run into most often is, If the request has ended up getting redirected across origins. – sideshowbarker Jul 13 '21 at 04:13

0 Answers0