-
Notifications
You must be signed in to change notification settings - Fork 47
No CORS headers sent in case of error 500 #46
Comments
I just upgraded from beta7 -> beta8 and was wondering why CORS worked for most of my requests but one was showing as an error in Chrome with the response containing no |
@kichalla can you check this out and figure out what the correct behavior should be? |
This may be happening with any non-200 response. I too am seeing it on 400s. |
Further investigation has shown me that this only seems to be happening on responses outside of the MVC pipeline. For example, I can return a status of 400 from a controller and do not have this issue, however, if I return a status of 400 from |
This is by design due to the following reasons:
|
This is what I am trying to achieve with the |
For future reference,I was able to achive this with @kichalla's recommendation by using an
Thanks. |
Right, an MVC exception filter is the place to do this. |
Has this issue been revisited? But the main problem for me is that if I allow some domain do make CORS requests, I expect them to get all the information. If the request was made with "XMLHttpRequest" as fallows: If the response is indeed 500 but without CORS headers, then the "XMLHttpRequest" status will be 0 not 500. So what's your ideas on this? Or am I missing something? |
I will just comment that this did seem odd to me. I worked through this issue today. I ended up returning a header along with a 400 status(Bad Request). Not necessarily accurate because my use case was a timed out session that I wanted to make the user aware of. I will warn against using 408(Request Timeout) as the browser will re-send the request(at least if it's a jquery AJAX request) and you will likely get stuck in a loop. Here is a code sample(MVC Controller):
|
I would like to reopen this issue. The workaround using the MVC filter does not solve the issue in all cases. The root cause of the issue remains, which is Looking at the source code shows that the CORS headers are added to the response BEFORE the request is processed. This means any subsequent middleware may inadvertently remove these headers. Instead, we should take advantage of the async The CorsMiddleware could potentially be fixed by moving where the headers are added.
|
Related issue: dotnet/aspnetcore#2378 |
What on earth have errors to do with CORS? If I turn CORS on, I expect it to be on for everything. This behaviour is perverse and patronising, and would send me running in panic from this framework. As a consumer of a service, how can I integrate if I don't have access to error information. Bangs head against wall. Does any other framework do this? |
All the issues relating to this bug are being closed. Plus they all reference each other too - it's just a circle of issues! Does anyone know if this bug going to be addressed? Or do we have to implement said workarounds? |
I agree with @bbsimonbb, this is somewhat patronising! It is a common pattern to have some kind of high-level middleware that catches Exceptions that bubble up and wrap them in an Error that is then send down to the client. CORS headers should be added to all responses if it has been defined in startup's
@kichalla This argument is pretty weak IMO, as sensitive information can always leak, not just in case of errors. Plus, if a developer writes code that sends down unsanitized exception messages/traces, the whole application is probably poorly designed anyway. |
I'm thinking of starting a PR to see if I can fix this, is that ok? |
This issue would not exist, if CORS middleware was adding headers with OnStarting event, instead of putting them directly to headers dictionary. Can CORS middleware be updated to add headers with OnStarting event? |
This issue was moved to dotnet/aspnetcore#2378 |
When the controller throws an exception, which results in an error 500, the CORS headers are not sent.
Is that by design? If so, why? If not, that's probably a bug.
The text was updated successfully, but these errors were encountered: