Cannot "UseCors()" and "UseDeveloperExceptionPage()" together #247
Comments
|
DeveloperExceptionPage is a really big hammer designed to give you some debug output in a scenario that otherwise would have failed. If it's taking control then aren't client console messages are the least of your worries? Do those messages prevent you from getting the diagnostic information from the error page? |
|
No its not preventing me from getting the error details using fiddler. The problem is that most users of my api first assume that there is a cors error and they focus their efforts on that instead of the real error. It's just a bit misleading. If the cors response headers were correctly passed along then the error message would be exactly what the issue is and not a side effect of it. Thanks for responding so quickly! |
|
Just added more detail to the original description... |
|
@kichalla I think you looked at a similar issue before. Do you recall the conclusion? |
|
Ah so we already clear some headers in ExceptionHandlerMiddleware? I would think we want the exact same behavior for the Dev Exception page too. Ultimately they're the same scenario, just one for dev, one for prod. Should they both call some helper e.g. |
|
The ExceptionHandlerMiddleware isn't as impacted in its re-execution mode because middleware after it (CorsMiddleware) will get a chance to re-run. |
|
Ah ok so the fix is to always just fully clear everything that can be cleared? I can dig that. |
Are you sure about this? The Cors middleware looks for Cors specifc headers (ex: Origin) to consider it a Cors request and when try to re-execute the request in |
|
Do you really want to have to special case one middleware to know how another works? The VS templates should encourage people to split their apps or at least the pipeline into 2: web apps, and web apis. If there was a better partition in the apps or the pipeline then stuff like this wouldn't happen as often. |
|
I believe that clearing the RESPONSE headers IS the problem. I just wanted to add that because I don't know if that is clear after reading the latest comments. If the response headers are cleared of headers like the following... Access-Control-Allow-Origin: http://foo.example Then cors is not compatible with UseDeveloperExceptionPage. |
|
Yes, we know, but we've decided not to special case CORS in UseDeveloperExceptionPage as it's not a blocking issue, it only causes some warnings on the client. |
|
I understand that its not a high priority. However, is this a "we will fix it in the future" kind of thing or is it a "middleware should not have any knowledge of other middleware and we choose not to fix it " kind of thing? Either way, thanks for considering the change and we love where Asp.net Core is heading. |
|
We much prefer the latter, keeping things decoupled, up until we hit a functional blocker. If this doesn't block any scenarios then we won't fix it. |
|
We have no intention of doing anything with this issue in the upcoming milestones so I'm closing. |
|
Problem is you can't read the 500 status code |
|
This creates confusing errors downstream. I spent all day walking from a fetch error in my SPA back to this middleware. I wrote about the issue in detail here. If it wont be fixed, it would help a lot of devs if it was documented. |
Trying to "UseCors()" and "UseDeveloperExceptionPage()" together in an Asp.net 5 web application but getting cors issues from the client.
The issue is that UseCors (which internally uses CorsMiddleWare.cs ) will set the response headers needed to support cors but then if there is an http error the UseDeveloperExceptionPage (which uses DeveloperExceptionPageMiddleware.cs ) somehow clears these headers.
This is the exact console log error....
This also blocks the ability for javascript to get the http status that was returned since the browser will block the response from the point that it detects a cors issue.
The text was updated successfully, but these errors were encountered: