CORS between Dev IISEXPRESS and IIS

Question

I have a cors implementation on a ASP netcore 3.1 MVC API. It works in Development.

In startup.cs (I basicall accept any origin in an atempt to get this working)

app.UseCors(builder=>{
          builder.SetIsOriginAllowed(origin={
          var host=new Uri(origin).Host;
          return true; ///Accept any
          })
          .AllowAnyMethod()
          .AllowAnyHeader()
          .AllowCredentials()
   })

I have a standard set of Controllers One is the User that allows Anonymous for authentication.

When I run on IISEXPRESS all works

When I run on IIS on a production like environment I get a series of errors starting with No Headers for Allow-Control-Allow-Origin

I try to set up web.config to use custom headers with the four responses

<httpProtocol>
    <customHeaders>
      <add name="Access-Control-Allow-Origin" value="https://MYDOMAIN" />
      <add name="Access-Control-Allow-Headers" value="Content-Type" />
      <add name="Access-Control-Allow-Methods" value="OPTIONS" />
      <add name="Access-Control-Allow-Credentials" value="true" />
   </customHeaders>
 </httpProtocol>

But now I get Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

Why am having to do any of this as it works in dev? Why does IIS seem to only allow one domain for CORS. Isn't the point to all CORS to allow multiple origins?

Why cant I find a solution.

Here are some pictures Error from The IIS server:

Network requests Dev network Server with IIS

Take a look at IIS CORS module please, https://blogs.iis.net/iisteam/getting-started-with-the-iis-cors-module — Lex Li, Aug 23 '21 at 15:05
This like many examples is restricting the origins to a limit of the domian. COPRS is to allow different domains. Seems wild card are not working. Also the code handles the cors iand works in dev. Is their a way to stop IIS getting in the way? — Lee Arnould, Aug 23 '21 at 23:27
I doubt if you even give it a try, as others did succeeded with multiple domains, https://stackoverflow.com/a/66461238/11182 . Besides, your screen shots show 401 on preflight requests, which indicates you enabled a challenged based authentication (Windows/Basic or others). That 401 can only be resolved by IIS CORS module where you can configure preflight requests to be allowed without authentication. — Lex Li, Aug 24 '21 at 01:52
Thanks the 401 was a good spot. I will try. Do I need to install anything for cors on server. Just wondering why I need to do any of this since code manages the whole cors thing — Lee Arnould, Aug 24 '21 at 07:30
Have you installed the [IIS CORS Module](https://www.iis.net/downloads/microsoft/iis-cors-module), if not, please try to install it? — samwu, Aug 24 '21 at 09:56
The problem was the fully setup server had not been fully set up :(iis cores module now installed — Lee Arnould, Aug 31 '21 at 08:30

score -1 · Answer 1 · answered Aug 31 '21 at 08:31

-1

Installed iis cors extention for IIS and it worked.

answered Aug 31 '21 at 08:31

Lee Arnould

123
9

CORS between Dev IISEXPRESS and IIS

1 Answers1