3

I have a controller where i enabled cors

[EnableCors(Startup.CORS_POLICY_EXTERNAL)]
public class MasterController : Controller
{
    [HttpGet]
    public IActionResult TestaConnessione()
    {
        return Ok();
    }
}

but with a simple fetch:

fetch("url/MasterController/TestaConnessione")

caller get header CORS “Access-Control-Allow-Origin” missing

but if the caller use iframe all works fine:

<iframe name="ifrReport" id="ifrReport"></iframe>

<script type="text/javascript">
    (function () {
        let form, input;
        form = document.createElement("form");
        form.action = "URL";
        form.target = "ifrReport";
        form.method = "POST";       
        document.body.appendChild(form);
        form.submit();
    })();

</script>

that's the startup config:

public const string CORS_POLICY_EXTERNAL = "CORS_POLICY_EXTERNAL";
        public const string CORS_POLICY_LOCAL = "CORS_POLICY_LOCAL";
    services.AddCors(options =>
                {
                    options.AddPolicy(name: CORS_POLICY_EXTERNAL,
                                      builder =>
                                      {
                                          builder.AllowAnyOrigin()
                                          .AllowAnyMethod()
                                          .AllowAnyHeader();
    
                                      });
                    options.AddPolicy(name: CORS_POLICY_LOCAL,
                                      builder =>
                                      {
                                          builder.WithOrigins("http://localhost")
                                          .AllowAnyMethod()
                                          .AllowAnyHeader();
    
                                      });
                });
    
    app.UseRouting();
    
                app.UseCors();
    
                app.UseAuthentication();
                app.UseMiddleware<AuthenticationMiddleware>();
                var options = app.ApplicationServices.GetService<IOptions<RequestLocalizationOptions>>();
                app.UseRequestLocalization(options.Value);
                app.UseAuthorization();
gt.guybrush
  • 1,320
  • 3
  • 19
  • 48
  • Use developer tools of your browser to analyze the preflight requests and responses. That should get you started. – Lex Li Aug 18 '22 at 16:57
  • https://stackoverflow.com/questions/57410051/chrome-not-showing-options-requests-in-network-tab even looking in flag pages, cors visibility in my chrome browser is no more present – gt.guybrush Aug 19 '22 at 07:13
  • Chrome isn't the only web browser in this world. – Lex Li Aug 19 '22 at 07:17
  • in my corporate pc it is :( – gt.guybrush Aug 19 '22 at 07:18
  • maybe this is the reason: i'm testing with fetch("url") and reading https://stackoverflow.com/questions/56856345/how-can-i-view-cors-pre-flight-options-requests-in-my-browsers-console I'm using jQuery.get(url); to trigger my CORS request This will trigger a simple request without a preflight OPTIONS request. You haven't fulfilled any of the conditions required to trigger a preflight. Since a preflight isn't being made, none show up in the developer tools. – gt.guybrush Aug 19 '22 at 07:21
  • Is this happening on your internal or external call? Could it be related to this? https://stackoverflow.com/questions/31276220/cors-header-access-control-allow-origin-missing – flashsplat Aug 22 '22 at 13:45
  • it talks about php config, as posted i (presume) correctly setup .net cors settings – gt.guybrush Aug 24 '22 at 07:18
  • seems you missed the the policy name in app.UseCors(...here policy name); – harpal Aug 27 '22 at 05:30
  • before i set CORS_POLICY_LOCAL inside and was not working, since i have two policy which one i have to use. reading https://stackoverflow.com/questions/44379560/how-to-enable-cors-in-asp-net-core-webapi and https://stackoverflow.com/questions/43985620/asp-net-core-use-multiple-cors-policies many user creates a custom cors middleware but i hope to found simpler way – gt.guybrush Aug 27 '22 at 19:42

2 Answers2

0

As already answered multiple times, you can't bypass CORS just from client (your) side only. That feature needs to be enabled on the target server too. To quote from this answer:

The header of the response, even if it's 200OK do not allow other origins (domains, port) to access the resources. You can fix this problem if you are the owner of the domain

Also, when you gave the example of js script that appends form to document and submits it, that is not related to CORS, because in that case, no AJAX/XHR request is made, instead it is form submit action, which can be done with any domain, regardless their CORS policy (though there exist other measures too, which might even block form-submission from other domains, but that is not scope of this question)

As as solution, you might try to trigger the request from client-side to backend of the app, which will make a request to target domain, and then your backend app provides that result back to client-side. That way, you will no need to worry about CORS policies.

T.Todua
  • 53,146
  • 19
  • 236
  • 237
  • maybe i miss something but controller and strtup with cors policy is on the server side: that is the action that other client app have to call – gt.guybrush Aug 27 '22 at 19:34
0

problem was

app.UseCors();

or

app.UseCors("CORS_POLICY_LOCAL");

both doesn't work, i was forced to set

app.UseCors("CORS_POLICY_EXTERNAL");

further reading for reference:

gt.guybrush
  • 1,320
  • 3
  • 19
  • 48