CORS policy not applied correctly

Question

Hi, we have two gateways provisioned, one for dev and one for automated testing. They both have identical CORS policies (see below) - however during the pre-flight OPTIONS request the dev gateway does not return the following, so the browser is not happy. The AT one does return the following list and works fine.

Access-Control-Allow-Headers:content-type
Access-Control-Allow-Methods:PUT
Access-Control-Allow-Origin:*
Request Method:OPTIONS

Given the policies are identical (I even copied and pasted from AT to Dev just to be sure) is this a bug in the dev instance of the gateway?

<policies>
<inbound>
<cors>
<allowed-origins>
<origin>*</origin>
<!-- allow any -->
<!-- OR a list of one or more specific URIs (case-sensitive) -->
</allowed-origins>
<allowed-methods>
<!-- allow any -->
<method>*</method>
</allowed-methods>
<allowed-headers>
<!-- allow any -->
<header>*</header>
</allowed-headers>
</cors>
</inbound>
<backend>
<forward-request />
</backend>
<outbound />
</policies>

Answer 1

The AT environment has since stopped working - we register the services with the gateway programmatically at deploy time, so I suspect it's something to do with that (it's the only thing that's changed).

We've also found what seems to be a workaround - Go to the policy manager, CORS is set globally. Then go to the product, attempt to apply CORS policy to the product, we can't as the little blue arrow is greyed out (fair enough - it's already set at the global level). However go to the specific API, and you can assign CORS policy at that level, even though it's set globally - click on the 'View effective policy' button and you see a double up of CORS policy sections, but it works in the browser.

So at least it seems to be working now, but we'd prefer not to have to set CORS at each API to get it working.

Any advice greatly appreciated.

Answer 2

Hello,

Thank you for posting here!

I would suggest you, check this link, http://www.c-sharpcorner.com/UploadFile/a3d5d0/manage-cors-cross-origin-resource-sharing-on-windows-azure/ which has been mentioned for “Manage CORS on Azure”, might help you.

Also, you can check for enabling CORS for ASP.NET. Please refer this link, http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api

Regards,
Swikruti

If a post answers your question, please click Mark as Answer on that post and Vote as Helpful.

Disclaimer:

This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

 

Answer 3

Thanks Swikruti, your reply seems to be suggesting changing a setting on our web services, whereas my question was about configuring this for API Management. 

Are you saying that even though API Management is applying (or pretending to apply) a CORS policy at the gateway level that we still must configure each backend service for CORS?

Answer 4

Hello,
Thank you for getting back to us.

As per our understanding, you can set CORS policy at global scope, which you can use to manage your API in API Management. The same link will help you which I have provided above to do the same.

Regards,
Swikruti

If a post answers your question, please click Mark as Answer on that post and Vote as Helpful.

Answer 5

Hi Swikruti,

As per my first post, we are applying CORS at the global scope but it is being applied inconsistently and is not working, and I'm looking for advice as to whether this a bug or expected behaviour.

Richard

Answer 6

Hello,

When you are applying CORS at the global scope, are you getting any error message? Please provide us the same, which might help us to resolve your issue.

Regards,
Swikruti