-1

On ASP.NET Core 1.1.

I included the nuget package Microsoft.AspNetCore.Cors" Version="1.1.2.

Startup.cs has CORS code shown below.

These are the issues:

  • Issue 1: as per the below code CORS has been configured to allow only 'POST' but it allows ALL http methods not restricting only to 'POST'

  • Issue 2: CORS has been configured only to allow "CustomHeader1", "CustomHeader2" but NOT allowing any request headers including valid "CustomHeader1", "CustomHeader2" request headers. If I remove headers altogether in the request then only receiving response.

Code:

 public IServiceProvider ConfigureServices(IServiceCollection services)
 {
     services.AddCors();
 }

 public void Configure(IApplicationBuilder app)
 {
     app.UseCors(builder => builder
                                .AllowAnyOrigin()
                                .WithMethods("POST")
                                .WithHeaders("CustomHeader1", "CustomHeader2")
                );
 }

What I'm missing to configure CORS only for POST method & to allow only "CustomHeader1", "CustomHeader2" in the request?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
191180rk
  • 735
  • 2
  • 12
  • 37

2 Answers2

0

you can try this syntax

public void ConfigureServices(IServiceCollection services)
{
            ....
            services.AddCors(o => o.AddPolicy("AllowAnyOrigin", builder =>
            {
                builder.AllowAnyOrigin()
                       .AllowAnyMethod()
                       .AllowAnyHeader();
            }));

             .....
}

public void Configure(IApplicationBuilder app)
{
            ....

            app.UseRouting();   
            app.UseCors("AllowAnyOrigin");
            //app.UseAuthentication();
            //app.UseAuthorization();
           ....
}

only if it works, you can try to add some restrictions.

Serge
  • 40,935
  • 4
  • 18
  • 45
  • @ Serge, this too works but **can't able to restrict** CORS using .WithMethods("POST") .WithHeaders("CustomHeader1", "CustomHeader2") what would be the issue? – 191180rk Jan 24 '22 at 04:56
  • @191180rk only if it works, you can try to add some restrictions. – Serge Jan 24 '22 at 08:15
  • restriction not considered despite being restriction added. Code added .AllowAnyOrigin() .WithMethods("POST") .WithHeaders("CustomHeader1", "CustomHeader2"). With this code, CORS is working for even GET method which it should not. – 191180rk Jan 24 '22 at 08:30
  • @191180rk Get method works always, it doesn' t need CORS. Cors needed for POST mostly. And you are very lucky that it works without restrictions. In the many cases it doesn't work at all. IMHO Forget about restrictions – Serge Jan 24 '22 at 08:31
  • @ Serge, 1) so which are the methods needs CORS? 2) Though header restrictions applied using .WithHeaders("CustomHeader1", "CustomHeader2") CORS working for **"CustomHeader11234"** as well without honoring the header restriction. – 191180rk Jan 24 '22 at 08:45
  • @ Serge, Also I'm not seeing these headers (Access-Control-Allow-Methods: GET Access-Control-Allow-Headers: CustomHeader1) in the response which are enabled as part CORS enabling – 191180rk Jan 24 '22 at 08:54
0

In .Net-Core 1.1, you need add

app.UseCors(builder => builder
    .AllowAnyOrigin()
    .WithMethods("POST")
    .WithHeaders("CustomHeader1", "CustomHeader2")
);

before calling app.UseMvc() and app.UseStaticFiles().

Suggestion 1 :

If your webapp is hosting on IIS, please check this link. If you are in the development stage, please the order in your Startup.cs file.

Suggestion 2 :

If it still not work, please generate publish file and check if there is a web.config file generated.

Suggestion 3 :

It is recommended to code according to the official examples, the official codes are all tested and can save a lot of time.

Jason Pan
  • 15,263
  • 1
  • 14
  • 29
  • @ jason pan, this works but **can't able to restrict** CORS using .WithMethods("POST") .WithHeaders("CustomHeader1", "CustomHeader2") what would be the issue? – 191180rk Jan 24 '22 at 04:57
  • @191180rk Is your program deployed? – Jason Pan Jan 24 '22 at 05:00
  • @ jason pan, at present Im verifying it using IISexpress from local once the local testing passed later it will be deployed to Azure ServiceFabric – 191180rk Jan 24 '22 at 05:16
  • @191180rk Referring to suggestion 2, check whether the release file contains web.config. In addition, if you are testing locally, please refer to the link above to modify it. – Jason Pan Jan 24 '22 at 05:19
  • @191180rk https://davidsekar.com/asp-net/cors-development-in-localhost – Jason Pan Jan 24 '22 at 05:20