CORS does not work with CDN #3520
Comments
|
@ackava can you provide more info on how things are set up, and what exactly doesn't work? Usually it's the CDN that needs CORS headers set up. |
|
And generally CDNs don't require CORS, because, well, they're open to multiple sites, so listing each one would be a nightmare. |
|
@blowdart they do need CORS so that JS files can programmatically download files from them, such as fonts. But, their CORS settings would probably be to blanket-allow all hosts for all things. |
|
Ah yea, ok, I poorly worded :) Allowing all is basically "I don't have requirements" to my mind. |
|
@Eilon Here is what I have, I have JS module resolver that downloads JS modules (individual files) via XHR and executes in either eval or script inject (RequireJS, SystemJS) all of them do exactly same thing. CDN through Azure CDN, does not send CORS headers, where else cdn.jsdelivr.net etc they do. Unfortunately, CORS headers detects that there is no need to send CORS and it does not send any CORS headers. I don't want to setup CORS on CDN because it is an additional configuration overhead outside of application. I have many tenants on the system and thus everyone have their own CDN pointing to root application. There should be a simple way to force sending headers even if they are not required. My work around now is to remove default CORS config and I have to write a module to force CORS headers. app.Use(async (context, next) => {
if( isJavaScriptResource(context)) {
IHeaderDictionary headers = context.Response.Headers;
headers.Add("access-control-allow-origin", "*");
headers.Add("access-control-expose-headers", "*");
headers.Add("access-control-allow-methods", "*");
headers.Add("access-control-allow-headers", "*");
headers.Add("access-control-max-age", "300");
}
await next();
}); |
|
You set up your own Azure CDN instance? But either way I think I'm missing something here: if you're using an Azure CDN, how does setting the response headers of your web app have any effect on this at all? |
|
That is, CORS is between the web browser and the CDN, not your web app. |
|
Azure CDN has custom origin set to my appilcation. So CDN simply forwards headers if they are present in the response. Otherwise CDN does not send CORS headers. My app is, and CDN url is All JavaScripts referenced in page are loaded from CDN url and not my app url. When JavaScript is loaded from different domain, Chrome does not allow AJAX requests as chrome maintains source as CDN and does not allow any AJAX request to app url. If JavaScript response has allow origin * then there is no issue with AJAX. |
|
Ah, I see now how this is configured, thank you for explaining. The Azure CDN essentially proxies requests back to your own app (if needed). When it wasn't working initially, how were you setting CORS? ASP.NET Core doesn't send any CORS headers by default - you have to use either the CORS middleware or MVC's CORS features. |
|
I did use MVC's CORS feature, but it does not work. Here is what I tried, And ... OR None of them worked !! |
|
The MVC CORS feature applies only to requests that come in to MVC itself. Because in your case these are presumably all requests for static files, chances are that the Static Files middleware will handle them all. So, that brings us to Can you confirm you had the middleware in that order? |
|
@ackava have you had a look at the logs? The CORS middleware does not send headers if it calculates that the policy does not match. |
|
I am not using UseStaticFiles, I have my own controller that actually
fetches JavaScript from a git repository and sends it as FileContent.
But even in case of UseStaticFiles it should work become chrome will not
allow Ajax requests from JavaScript that came from CDN.
But if you read my work around, everything is working fine.
I just feel that CORS should have ability to send headers without checking
input request.
…On Tue, Sep 11, 2018 at 1:40 PM Eilon Lipton ***@***.***> wrote:
The MVC CORS feature applies only to requests that come in to MVC itself.
Because in your case these are presumably all requests for static files,
chances are that the Static Files middleware will handle them all.
So, that brings us to .UseCors(), which you'd need to make sure runs
before calling .UseStaticFiles(), so that the CORS middleware will run
before the Static Files middleware, so that it has a chance to add the
headers you want.
Can you confirm you had the middleware in that order?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3520 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AlnG2bwf_BIYZiUxTLUX2FtHMkpTRhT8ks5uZ_WNgaJpZM4WfSma>
.
|
|
@pranavkm, can you please investigate this further? If there is a specific configuration required for this scenario, we should just document it., |
The values for
The CorsMiddleware logs it's evaluation for every incoming request and why it decided not to send a CORS response. That would help here. |
|
@pranavkm My request here is simple, irrespective of incoming request headers, I should be able to simply force Access-Control headers. A simple config to override all calculation and send header will suffice. |
|
@ackava, this is not something we plan to do:
You can achieve what you want by simply registering a custom middleware to write any headers you want. |
Eilon
added
area-mvc
It is quite well that ASP.NET Core detects whether CORS headers are needed or not, but it does not work with CDN. In requests through CDN, ASP.NET Core thinks that it does not need to send CORS headers and it simply stops sending CORS headers.
The text was updated successfully, but these errors were encountered: