-1

I set CORS in my .net core application like this:

 app.UseCors(builder => builder
                .WithOrigins("https://*.example.com")
                .SetIsOriginAllowedToAllowWildcardSubdomains()
                .SetIsOriginAllowed(origin => _configuration.GetSection("Cors:AllowedOrigins").Get<IList<string>>().Contains(origin))
                .AllowAnyHeader()
                .AllowAnyMethod());

The server response header is:

access-control-allow-origin: https://*.example.com

So I don't understand why I get this error because it looks like it has support for any sub-domain.

This is the full error:

login:1 Access to fetch at 'https://staging.example.com/' from origin 'https://app.example.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://*.example.com' that is not equal to the supplied origin. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Any idea why I get this error even though I try to access from a sub-domain of example.com?
According to the docs this should work.

Offir
  • 3,252
  • 3
  • 41
  • 73
  • `Access-Control-Allow-Origin: https://*.example.com` has no chance of working. The only wildcard allowed by the CORS protocol is `*` by itself, not within some kind of regexp. However you've configured CORS doesn't seem to do the right thing. – jub0bs Sep 28 '22 at 18:28
  • Hi @Offir, be sure the call to `UseCors` must be placed after `UseRouting`, but before `UseAuthorization`. – Rena Sep 29 '22 at 05:04
  • @jub0bs not according to this and the official microsoft docs: https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0 – Offir Sep 29 '22 at 05:40
  • @Rena I changed the location of it like you suggested and it stopped working. – Offir Sep 29 '22 at 06:38
  • Hi @Offir, what's the error message now? – Rena Sep 29 '22 at 07:08
  • @Rena can you elaborate why I should move it after `UseRouting` and before `UseAuthorization`? – Offir Sep 29 '22 at 07:25
  • Hi @Offir, This is the official document said. – Rena Sep 29 '22 at 07:28
  • @Rena https://stackoverflow.com/questions/59945375/405-method-not-allowed-and-blocked-by-cors-policy – Offir Sep 29 '22 at 07:29
  • Hi @Offir, I think you need read carefully and check the official document link in that answer. – Rena Sep 29 '22 at 07:34
  • @Rena I already solved this by adding explicit origins instead of `*`, now I have another problem.. – Offir Sep 29 '22 at 07:40
  • Hi @Offir, if have another problem you can post a new thread. And for this thread you can share your answer below to let other quickly knows the answer. – Rena Sep 29 '22 at 07:57

2 Answers2

0

I solved this by changing the middleware order like is suggested in the official Microsoft docs.

Even though in Microsoft docs they mention the option to allow sub-domains it didn't work for me and I had to add them explicitly.

This is the order of my middleware in startup.cs:

    app.UseHttpsRedirection();
    app.UseStaticFiles();
    app.UseRouting();
    app.UseCors(builder => builder
        .WithOrigins(_configuration.GetSection("Cors:AllowedOrigins").Get<string[]>())
        .AllowAnyHeader()
        .AllowAnyMethod());

    app.UseAuthentication();
    app.UseAuthorization();

    // custom middlewares
    app.UseRequestResponseLogging();
    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
        endpoints.MapHealthChecks("/health");
    });

appsettings:

  "Cors": {
    "AllowedOrigins": [
      "https://example.com",
      "https://sub.example.com",
      "https://tests.example.com",
      "https://staging.example.com"
    ]
  }
Offir
  • 3,252
  • 3
  • 41
  • 73
-1

you did not say the .NET core version, Anyway in your Startup.cs define policy like:

  services.AddCors(opt =>
    {
        opt.AddPolicy("examplePolicy", builder =>
        {
            builder.AllowAnyOrigin("https://*.example.com")
                .AllowAnyHeader()
                .AllowAnyMethod();
        });
    });

then

app.UseCors("examplePolicy");

Finally, the API:

[EnableCors("examplePolicy")]
[HttpGet("...")]
public void yourAPI()
{
}
Hossein Sabziani
  • 1
  • 2
  • 15
  • 20