15

From what I understand, when enabled CORS accordingly, the response model should include the following header information (provided that I want to allow everything):

Access-Control-Allow-Origin: *
Access-Control-Allow-Method: *
Access-Control-Allow-Header: *

Enabling it in Startup:

public void ConfigureServices(IServiceCollection services)
{
    //...
    services.AddCors();
    services.ConfigureCors(options => 
    {
        options.AddPolicy("AllowAll", p => p.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader().AllowCredentials());
    });
    //...
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    //...
    app.UseCors("AllowAll");
    //...
}

The problem is that none of these headers are returned and I get the following error when trying to request from the API:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access.

Maria Ines Parnisari
  • 16,584
  • 9
  • 85
  • 130
Dave New
  • 38,496
  • 59
  • 215
  • 394
  • Does this error comes in chrome console ? – user2120121 Dec 03 '15 at 13:14
  • 1
    did you register the Cors middleware before MVC middleware? can you share more info on your `Configure` method? – Kiran Dec 03 '15 at 13:55
  • 3
    As Kiran said, this won't work if you have added `app.UseCors` after `app.UseMvc` in your `Startup.Configure` method. You need to add the Cors middleware before the MVC middleware. (By the way, in RC1 there is no `ConfigureCors` method anymore and the options can be passed directly into the `AddCors` method) – Daniel J.G. Dec 03 '15 at 14:27
  • 2
    @DanielJ.G., the correct order (`app.UseCors` before `app.UseMvc`) did the trick for me. Please add this as answer so I can upvote it :) Thanks! This is annoying since it is not mentioned in the [latest docs](http://docs.asp.net/en/latest/security/cors.html). – realMarkusSchmidt Jan 18 '16 at 13:19
  • I have not ***app.UseMvc()*** Only: ```app.UseHttpsRedirection(); app.UseRouting(); app.UseAuthorization(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); });``` – Kiquenet Apr 28 '21 at 14:26

2 Answers2

22

Make sure you add app.UseCors before app.UseMvc in your Startup.Configure method, because you need the CORS middleware to be applied before the MVC middleware. 

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    ...

    //Add CORS middleware before MVC
    app.UseCors("AllowAll");

    app.UseMvc(...);
}

Otherwise the request will be finished before the CORS middleware is applied. This is because UseMvc calls UseRouter which ends up adding the RouterMiddleware, and this middleware only executes the next configured middleware when a route handler wasn't found for the request.

Daniel J.G.
  • 34,266
  • 9
  • 112
  • 112
  • Wow this helped. Our `Configure(IApplicationBuilder app)` was abstracted into a base class. So we were call `app.UseCors` after calling base class. – sunil Apr 24 '18 at 17:24
3

In .Net Core Web API 5.0 in Configure method you have to add app.UseCors before other methods, like that:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        ...
    }

    //add CORS
    app.UseCors();

    app.UseHttpsRedirection();

    app.UseRouting();

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}
kacpersii
  • 31
  • 2
  • You sure about that? "System.InvalidOperationException: Endpoint {app_name}.Web.Controllers.PageController.GetPageListing ({app_name}) contains CORS metadata, but a middleware was not found that supports CORS. Configure your application startup by adding app.UseCors() inside the call to Configure(..) in the application startup code. The call to app.UseCors() must appear between app.UseRouting() and app.UseEndpoints(...)" in a .Net Core Web API 5.0 application. – JeremyW May 08 '22 at 02:17