How does one specify a CORS policy on static files and allow HTTPOption (preflight) requests? I'm trying to retrieve a static file from application Y into application X via an XHR request. But this gives the following error:
Access to XMLHttpRequest at 'Y/test.jpg' from origin 'X' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
The first problem that seems to occur is that HTTPOption requests are returning 404 errors. Why is that? It would make sense in missing controller endpoints, but in this case the URL leads to a file.
In this answer it seems like the AspNetCoreModuleV2 does not know how to handle HTTPOption.
After modifying the web.config as shown in the answer (removing HTTPOption from the module), I do get a 200 response and the last obstacle is the actual CORS error itself.
Because the HTTPOption is not handled via AspNetCoreModuleV2 after the change, the only way I can think of to add the CORS headers is to do this from the web.config. e.g.:
<add name="Access-Control-Allow-Origin" value="*" />
With those two changes, application X can load the data properly. I do think this is not a clean solution, because:
- The
HTTPOptionwill not work on controller-specific endpoints because its filtered away fromweb.config - The CORS headers will be added in all requests, instead of on static files only
- The .NET Core CORS (
AddCors/UseCors) is not used
