ASP.NET Core 2.2 CORS No 'Access-Control-Allow-Origin' header

Question

User32856189 posted

I'm having trouble to consume a ASP.NET Core 2.2 web api.

This javascript code below works well, I can get all clients fine

fetch('https://10.20.0.20:8081/api/clients/list').then(data => { data.json().then(dt=>{console.log(dt)}) }).catch(error => { console.log(error)});

But this one doesn't work

fetch('https://10.20.0.20:8081/api/clients/list',{ "headers": {"content-type": "application/json"}}).then(data => { data.json().then(dt=>{console.log(dt)}) }).catch(error => { console.log(error)});

Well... It is what I have in my ConfigureServices method from Startup.cs

services.AddCors(setup => setup.AddPolicy("AllowAll", builder => builder.AllowAnyHeader().AllowAnyMethod().AllowAnyOrigin().AllowCredentials()));

My first line after Configure method from Startup.cs

app.UseCors("AllowAll");

When I comment this line above both fetch stop working.

I did this litle test just because I'm using angular to consume this API and I facing this same problem.

Error message:

Access to fetch at 'https://10.20.0.20:8081/api/clients/Listar' from origin 'https://10.20.0.20:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. 

Answer 1

User711641945 posted

Hi heliobarbosa,

Specifying AllowAnyOrigin and AllowCredentials is an insecure configuration and can result in cross-site request forgery. The CORS service returns an invalid CORS response when an app is configured with both methods.

Try to use SetIsOriginAllowed as a workaround:

services.AddCors(options =>
        {
            options.AddPolicy("AllowAll",
                builder => builder.AllowAnyMethod()
                                  .AllowAnyHeader()
                                  .SetIsOriginAllowed(_ => true)
                                //.AllowAnyOrigin().
                                  .AllowCredentials());
        });

Or try to specify the origin:

services.AddCors(options =>
{
    options.AddPolicy("AllowOrigin",
    builder =>
    {
        builder.WithOrigins("http://localhost:4200")
                            .AllowAnyHeader()
                            .AllowAnyMethod()
                            .AllowCredentials();
    });
});

Reference:

https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-3.1#set-the-allowed-origins

https://stackoverflow.com/a/57565870/11398810

https://stackoverflow.com/a/60110043/11398810

Best Regards,

Rena

Answer 2

User32856189 posted

Hi Rena, thank you for your participation.

It didn't work, unfortunately.

I have same app/code in another IIS working. I guess that is something with IIS, but I don't know what can be.

Answer 3

User475983607 posted

I have same app/code in another IIS working. I guess that is something with IIS, but I don't know what can be.

Windows authentication?

Answer 4

User32856189 posted

I removed AllowCredentials method from builder and in the IIS is everything is disabled, just Anonymous enable

Answer 5

User-474980206 posted

I would try with a supported version of asp.net core. Either fall back to 2.1 or convert to 3.1

Answer 6

User32856189 posted

I did a middleware to check all requests methods with context.Request.Method. In my local machine I got GET and OPTIONS methods, but in this server I got only GET. I guess that the problem is with this server.

Answer 7

User-2054057000 posted

Access-Control-Allow-Origin error is due to browser not letting external api call. You have to enable cors in your API project and which will correct this problem. See How to Enable Cross-Origin Requests (CORS) in ASP.NET Core

 

Answer 8

User-474980206 posted

See if this is your issue

https://docs.microsoft.com/en-us/aspnet/core/migration/21-to-22?view=aspnetcore-2.2&tabs=visual-studio#update-cors-policy

Answer 9

User32856189 posted

someone had put OPTIONS as false in Request Filtering -> HTTP Verbs on IIS