locked
CORS in ASP.NET Core 3.x RRS feed

  • Question

  • User1286808301 posted

    Hi. I tried to set and use CORS with a Angular SPA and ASP.NET Core 3.0.100 created from Visual Studio. My goal is to not use CORS policy (or a permisive policy) for the default route that serve the SPA. All endpoint routes use a defined policy to specify the origin (same as SPA origin). I tried that but i have log info from console say me "No CORS policy found for the specified request" for routes like the default or the login. If someone have an idea ;) https://hastebin.com/ufosivegid.cs

    Sunday, October 20, 2019 8:49 PM

Answers

  • User475983607 posted

    BeRoots

    Sorry for the strange response. I have just one application with a home route that serve the app and other routes for the api part. I have only one domain for this app.

    My goal is to ensure request to api routes is from this domain. To prevent other request like wget or something other than my app.

    I think to use a reverse proxy to secure my app a bit and back to it I will have my aspnet core project... https://github.com/BeRoots/aspnetcore3-angular-spa/tree/dev-cors

    This is a totally different question.  CORS does NOT secure Web API.  CORS simply tells the browser it is okay to do an cross-origin request.  CORS will not stop code from invoking a Web API endpoint.

    Use standard patterns and practices to secure a Web API application.  

    https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/

    BeRoots

    It's possible the reverse proxy forward request  to many servers back for scalability (or something like that but not for th moment)

    I have no idea what you are asking.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 21, 2019 5:51 PM

All replies

  • User711641945 posted

    Hi BeRoots,

    Could you share more details about your two projects?And check if you set the right url in appsettings.json(The url should be the project which calls the api).

    Reference:

    https://weblog.west-wind.com/posts/2016/sep/26/aspnet-core-and-cors-gotchas

    https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-3.0

    Best Regards,

    Rena

    Monday, October 21, 2019 10:00 AM
  • User1286808301 posted

    Hi Rena Ni.

    It's is just a simple angular template from dotnet using asp.net core 3.0.100. The code is here: https://github.com/BeRoots/aspnetcore3-angular-spa/blob/dev-cors/Startup.cs

    (branch dev-cors)

    Monday, October 21, 2019 12:00 PM
  • User475983607 posted

    Can you clarify the requirements?

    Simply, the browser generates CORS errors when an XHR, AJAX,or fetch request does not follow the browser's  same-origin security policy.   All JavaScript HTTP requests that are cross-origin must use CORS.  If the HTTP request is not cross-origin then CORS is not needed. 

    Often a solution is creating a proxy on the web application that invokes the Web API form the server which does not require CORS.

    Monday, October 21, 2019 1:42 PM
  • User1286808301 posted

    My goal is to ensure HTTP Request Origin are with the same domain for the API part of this application. And to allow all origin for the home route sering the SPA.

    Monday, October 21, 2019 2:40 PM
  • User475983607 posted

    My goal is to ensure HTTP Request Origin are with the same domain for the API part of this application. And to allow all origin for the home route sering the SPA.

    I'm still not sure what you are asking.

    Let's say you have two domains  www.web.com and www.api.com.  If the SPA application is downloaded from www.web.com, making HTTP requests to www.web.com does not require CORS as www.web.com is the same origin as that rendered the SPA.  HTTP requests to www.api.com require CORS since www.api.com is different than the original domain that loaded the JavaScript application.

    If you wish to get around CORS then you can create a proxy on www.web.com that makes HTTP request via .NET code to www.api.com.

    Monday, October 21, 2019 3:40 PM
  • User1286808301 posted

    Sorry for the strange response. I have just one application with a home route that serve the app and other routes for the api part. I have only one domain for this app.

    My goal is to ensure request to api routes is from this domain. To prevent other request like wget or something other than my app.

    I think to use a reverse proxy to secure my app a bit and back to it I will have my aspnet core project... https://github.com/BeRoots/aspnetcore3-angular-spa/tree/dev-cors

    It's possible the reverse proxy forward request  to many servers back for scalability (or something like that but not for th moment)

    Monday, October 21, 2019 4:45 PM
  • User475983607 posted

    BeRoots

    Sorry for the strange response. I have just one application with a home route that serve the app and other routes for the api part. I have only one domain for this app.

    My goal is to ensure request to api routes is from this domain. To prevent other request like wget or something other than my app.

    I think to use a reverse proxy to secure my app a bit and back to it I will have my aspnet core project... https://github.com/BeRoots/aspnetcore3-angular-spa/tree/dev-cors

    This is a totally different question.  CORS does NOT secure Web API.  CORS simply tells the browser it is okay to do an cross-origin request.  CORS will not stop code from invoking a Web API endpoint.

    Use standard patterns and practices to secure a Web API application.  

    https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/

    BeRoots

    It's possible the reverse proxy forward request  to many servers back for scalability (or something like that but not for th moment)

    I have no idea what you are asking.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, October 21, 2019 5:51 PM
  • User1286808301 posted

    Thank you for you awnser. I don't need CORS in my case. So If I not use CORS I have a info message in the console that say:

    info: Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware[10]
          No CORS policy found for the spécified request

    Is there a way to disable CORS in my case ?

    Wednesday, October 23, 2019 9:33 AM
  • User475983607 posted

    As explained above, CORS is a browser feature which cannot be disabled from code running on a server.  You can remove the CORS middleware from the startup.cs file and that will stop the CORS middleware from running in the HTTP pipeline.  

    Wednesday, October 23, 2019 11:34 AM
  • User1286808301 posted

    I agree with that but how to remove it? The application has no definition of use of this middlware defined in the HTTP pipeline but I still have this information about CORS. It's defined by default.

    Wednesday, October 23, 2019 12:58 PM
  • User475983607 posted

    I agree with that but how to remove it? The application has no definition of use of this middlware defined in the HTTP pipeline but I still have this information about CORS. It's defined by default.

    If the CORS middleware configuration has been removed from startup.cs then the middleware is no longer running and no further changes are required.

    https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-3.0

    Wednesday, October 23, 2019 1:46 PM
  • User1711320758 posted

    I wanted to piggy back on this discussion since I too am having a problem since upgrading one of the sites at work from .net core 2.2 to 3.0

    I had a previous thread which showed i could dynamically allow any origin using middleware and now with .NET core 3.0 that seems to have stopped working.

    https://forums.asp.net/t/2154763.aspx?Allowing+any+origin+with+CORS

    I have a site that is hosted in IIS and when it ran under 2.2 I had middle ware code that would execute when a request was made. But now the only time I can get that code to excute is if I set IIS to allow anonymous.  

    Is there a way to dynamcially allow any origin and allow any method for .NET core 3.0  I know the documentation says that can be dangerous but I need to preserve existing functionality for intranet applications. 

    What is interesting with the link in the prior reply the documentation is that the documention's example still has the following line:

    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);  

    Which we know is now obsolete.

    Thank you,

    Thursday, October 24, 2019 3:47 AM
  • User475983607 posted

    I have a site that is hosted in IIS and when it ran under 2.2 I had middle ware code that would execute when a request was made. But now the only time I can get that code to excute is if I set IIS to allow anonymous.  

    This is a security issue/question not CORS.  Usually what happens is the security error response is does not have the CORS headers.  You can see the response in the Browser's Dev Tools (F12).  Remember CORS is a browser feature.  The server always sends the response and has no idea if the client is CORS enabled or not.  The browser blocks the response with a CORS error but the browser's network trace shows the response. 

    Thursday, October 24, 2019 10:56 AM
  • User1711320758 posted

    The reason I think this is an ASP.NET CORS problem is we have other .NET 4.6 apps that work perfectly fine and have the same IIS settings of Windows Authentication Only.

    In the Global.asax for the 4.6 app I grab the Origin from the Header in the BeginRequest method and add the following:

    var currentRequestOrigin = HttpContext.Current.Request.Headers["Origin"];

    if (currentRequestOrigin != null)

    {

           currentResponse.AppendHeader("Access-Control-Allow-Origin", currentRequestOrigin);

    }

          if (Request.Headers.AllKeys.Contains("Origin") && Request.HttpMethod == "OPTIONS")

          {

            HttpContext.Current.Response.End();

          }

    In our ASP.NET Core 2.2 app we had middleware do something similar with a BeginInvoke setting the response headers.  Now with 3.0 none of it works.  So something is definitely different from the way .NET Core 3.0 integrates CORS as opposed to 2.2 or  regular 4.x apps.  

    Thursday, October 24, 2019 2:55 PM
  • User475983607 posted

    Did you have a look at the HTTP response in browser network tool as suggested? I'm betting you'll see a 401 Unauthorized status error or perhaps another error. Whatever the error, the CORS header will not exist within the error HTTP response which causes the browser to throw the CORS error.  Once you fix the security configuration issue(s), CORS will start working again.  I'm guessing the HTTP OPTIONS request is causing the authentication error.

    Keep in mind that Windows Authentication is handled by IIS, if you are using a reverse proxy the middleware is never reached.

    Thursday, October 24, 2019 3:16 PM
  • User1711320758 posted

    I am using IIS to host the .NET Core App with windows authentication only. You are correct the options request is causing the problem.

    To allow any origin and any method is there a recommended way to do that with .NET Core 3.0 ?  And you are right unless I turn on anonymous authentication for IIS, the middleware is never reached.

    Thursday, October 24, 2019 3:53 PM