ASP.NET Core Web API CORS error multiple values and is not equal to

Question

I'm having this errors. I have a windows server. I directed server's ıp address to https://api.example.com When I try api it works like https://api.example.com/api/test it return datas

I having an error is not equal to when my code like this:

builder.Services.AddCors(options => options.AddDefaultPolicy(
    policy => policy
    .WithOrigins("https://www.example.com.tr")
    .AllowAnyHeader()
    .AllowAnyMethod()

));
app.UseCors();

Access to XMLHttpRequest at 'https://api.example.com/api/test' from origin 'https://example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'http://www.example.com' that is not equal to the supplied origin.

if I change the origin like https://example.com.tr I'm having multiple values error.

builder.Services.AddCors(options => options.AddDefaultPolicy(
    policy => policy
    .WithOrigins("https://example.com.tr")
    .AllowAnyHeader()
    .AllowAnyMethod()

));
app.UseCors();

Access to XMLHttpRequest at 'https://api.example.com/api/test' from origin 'https://example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'http://www.example.com' that is not equal to the supplied origin.

I added this lines to my web api's web confing file

<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Headers" value="*" />
<add name="Access-Control-Allow-Methods" value="*" />
</customHeaders>
</httpProtocol>

Are you using the **exact same** URI scheme everywhere? Also, you need to be using `https://` everywhere and **not** just `http://` - technically CORS doesn't require secure-contexts, but simply using `https://` everywhere _does_ solve a lot of headaches. — Dai, May 05 '23 at 00:04
Also, you need both `www.` and non-`www.` versions of `Host` names _unless_ you're absolutely certain your client website (from which browsers send CORS preflight requestrs) always uses a single consistent `Host` name. — Dai, May 05 '23 at 00:05
Dear @Dai thank you for answering. Yes, I'm using exact same url everywhere copy -paste also I added as you say both www. and non-www. versions and getting "The 'Access-Control-Allow-Origin' header has a value 'http://www.example.com' that is not equal to the supplied origin." error now. I know there are a lot of questions in here but ı checked all of them but it didnt solved — fako, May 05 '23 at 00:12
Rather than using `example.com` - what are the **actual** URIs/hostnames you're using? — Dai, May 05 '23 at 00:12
Also, your `AddCors` code only shows you adding a _single_ Origin (`https://www.example.com.tr`) - how/where are you adding the other versions of the origins (e.g. with-and-without `www.`)? — Dai, May 05 '23 at 00:13
https://myDomain.com.tr is my web site and https://api.myDomain.com.tr is my api address. both are working same localmachine on iis. — fako, May 05 '23 at 00:14
The error message says you're missing the `https://` and `www` parts though... — Dai, May 05 '23 at 00:15
Dear @Dai yes you are right but as you can see I post my code in my question i add 'https://' and when add 'www' just error changing. — fako, May 05 '23 at 00:21
I think you didn't see my comment before 2 3 comment i answer that — fako, May 05 '23 at 00:27
Are you referring to _"The 'Access-Control-Allow-Origin' header has a value 'example.com' that is not equal to the supplied origin."_? If so, then that error is because an Origin needs the URI scheme: `"example.com"` by itself **is not** a valid Origin, but `"https://example.com"` is - similarly `"www.example.com"` is not a valid Origin, but `"https://www.example.com"` is - and that origin is distinct from `"https://example.com"` (and is also distinct from `"http://example.com"`) - that's why you often need multiple variations on your Origins instead of relying on a single Origin value. — Dai, May 05 '23 at 00:29
I don't need multiple variations as you say. But I'm having this error i dont use 2 or 3 header with post or get methods — fako, May 05 '23 at 00:38
I can't help you any further because you aren't sharing your current actual error messages **verbatim** - even a screenshot of your browsers' dev console would help. Because you're inconsistently editing the error messages before posting them I can't tell what's accurate and what isn't. — Dai, May 05 '23 at 00:39

Chen · Answer 1 · 2023-05-05T07:49:21.473

Please make sure that the URL of your client hosted on IIS is the same as the URL configured for CORS on the server:

client site:

server-side:

builder.Services.AddCors(options => options.AddDefaultPolicy(
      policy => policy
      .WithOrigins("https://localhost:112")
      //...
));

In addition, this error may also appear when you enable Windows Authentication and disable Anonymous Authentication in IIS:

If this problem occurs in IIS, you may need to install IIS CORS module and configured for the app.

For more details, you can refer to this document and this case.

score 0 · Accepted Answer · answered May 08 '23 at 08:46

0

I find the solution on IIS server. My two website on IIS and same origin. I deleted api's HTTP response header and work for me

answered May 08 '23 at 08:46

fako

28
5

ASP.NET Core Web API CORS error multiple values and is not equal to

2 Answers2