0

I have been having trouble getting my CORS requests to work between an asp net core API and an Angular 8 app using a generated Nswag typescript client.

Just now I figured out why. My origin is "null". Not http://localhost:4200 as I expected it to be.

So when I added "null" as an allowed origin everything works. But I want to understand why, and what implications this would have if I left let "null" be an allowed origin in production.

Currently my code looks like this.

appsettings.json

"CORS-Settings": {
  "Allow-Origins": [
    "http://localhost",
    "http://localhost:4200",
    "https://localhost",
    "https://localhost:4200",
    "null"     // <-- if I remove this my localhost browser gets denied by CORS
  ],
  "Allow-Methods": [ "OPTIONS", "GET", "HEAD", "POST", "PUT", "DELETE" ]
}

Startup.cs

public void ConfigureServices(IServiceCollection services)
{
   services.AddCors();
   // other stuff
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IServiceScopeFactory scopeFactory, ILoggerFactory loggerFactory)
{
    var allowedMethods = Configuration.GetSection("CORS-Settings:Allow-Methods").Get<string[]>();
    var allowedOrigins = Configuration.GetSection("CORS-Settings:Allow-Origins").Get<string[]>();

    app.UseCors(
        options => options
        .WithOrigins(allowedOrigins)
        .WithMethods(allowedMethods)
    );
    // other stuff
}

So why do i need to add "null" as an allowed origin, and is this harmful if it were to make it to production?

If it makes any difference, I'm using firefox v72.0.1.

JensB
  • 6,663
  • 2
  • 55
  • 94

2 Answers2

0

Try and see. Do like below.

  1. Please change your appsettings.json
"CORS-Settings": {
  "Allow-Origins": [
    "http://localhost:4200",
    "https://localhost:4200"
  ],
  "Allow-Methods": [ "OPTIONS", "GET", "HEAD", "POST", "PUT", "DELETE" ]
}
  1. Change the configure method.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IServiceScopeFactory scopeFactory, ILoggerFactory loggerFactory)
{
    var allowedMethods = Configuration.GetSection("CORS-Settings:Allow-Methods").Get<string[]>();
    var allowedOrigins = Configuration.GetSection("CORS-Settings:Allow-Origins").Get<string[]>();

    app.UseCors(
        options => options
        .WithMethods(allowedMethods)
        .WithOrigins(allowedOrigins)
      );
    // other stuff
}
Binara Thambugala
  • 776
  • 6
  • 17
  • All I can see that you have done is to remove the "null" from the appsettings. This will not work for me as the origin that dot net core gets is "null". So if I remove "null" the request will be denied. – JensB Jan 18 '20 at 20:28
  • i have removed ```http://localhost``` and ```https://localhost``` lines. try and see. if it is not working let me know. i'll tell another way. – Binara Thambugala Jan 18 '20 at 20:30
0

It seems CORS headers do not generated for local address, it will generated for remote address.

So if you are using windows, you can manipulate by adding host alias into hosts file (C:\Windows\System32\drivers\etc\hosts), point to local address.

eg: 127.0.0.1 test123.com

Then please change your appsettings.json:

"CORS-Settings": {
  "Allow-Origins": [
    "http://test123.com:4200",
    "https://test123.com:4200"
  ],
  "Allow-Methods": [ "OPTIONS", "GET", "HEAD", "POST", "PUT", "DELETE" ]
}

Hope this helps.

OO7
  • 660
  • 4
  • 10