5

I have a requirement to access my .NET Core 3.1 WebApi from an origin other than that which it is served from. However, when I follow the guidance from Microsoft I still get the following JavaScript error on the client-side:

Access to fetch at 'http://localhost:50679/merchants' from origin 'http://localhost:64237' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

In my Startup class, my ConfigureServices method looks like this:

public void ConfigureServices(IServiceCollection services)
    { 
        services.AddCors(options =>
        {
            options.AddPolicy("CorsPolicy",
                builder =>
                {
                    builder.WithOrigins("http://localhost:64237");
                });
        });

        services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_3_0);

        services.AddControllers();
    }

...and my Configure method looks like this:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseHttpsRedirection();

        app.UseRouting();

        app.UseCors("CorsPolicy");

        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }

I have then used the EnableCors attribute on the controller method I am calling like so:

[EnableCors("CorsPolicy")]

I have seen several posts on StackOverflow concernaing Cors but none of the have helped as I have seen nothing I am doing incorrectly - however, most of them are not specific to .NET Core 3.1. I have also done a sense check and set breakpoints to check that all of the above code is being run.

Can anyone please explain why I am not able to use Cors in this situation please?

erzulie
  • 341
  • 1
  • 4
  • 8

2 Answers2

2

You can try removing the app.UseCors("CorsPolicy") and app.UseEndpoints(...) block from Startup.cs as it applies CORS policies to all the apps endpoints via CORS Middleware, whereas [EnableCors("CorsPolicy")] enables it over a controller, action method, etc.

Per Microsoft you should not use both approaches at the same time:

We recommend against combining policies. Use the [EnableCors] attribute or middleware, not both in the same app.

// Remove this piece of code
app.UseCors("CorsPolicy");
app.UseEndpoints(endpoints =>
{
    endpoints.MapControllers();
});

And also update your policy by using:

options.AddPolicy(
    "CorsPolicy",
    builder =>
    {
        builder.
            WithOrigins("http://localhost:64237").
            AllowAnyHeader().
            AllowAnyMethod();
    });
lsoliveira
  • 4,560
  • 3
  • 20
  • 31
Shahid Manzoor Bhat
  • 1,307
  • 1
  • 13
  • 32
0

I suppose you should add some other permissions 

builder.AllowAnyMethod()
    .AllowAnyHeader()
    .AllowCredentials()
    .WithOrigins("http://localhost:64237");
dev_twogenies
  • 34
  • 3