CORS api not sending Access-Control-Allow-Origin header #3138
Description
I'm running ASP.NET Core 2.0 (.NET Standard) on an Azure Web App.
I am not using CORS middleware (i.e. no call to app.UseCors()), but I am setting up an access policy like so:
The web app runs on www.mydomain.com and CORS is set up like...
services.AddCors(options =>
{
options.AddPolicy("ScormStorageCors",
builder => builder.AllowAnyOrigin()
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials());
});
The controller is decorated as such:
[EnableCors("ScormStorageCors")]
public async Task<IActionResult> LMSCommands(ScormCommand cmd)
{
}
The Ajax request is dispatched from storage.mydomain.com and looks like so:
$.ajax({
url: serviceURL,
cache: false,
type: "POST",
crossDomain: true,
xhrFields: { withCredentials: true },
data: cmd,
async: false, // cross domain requests don't support async
error: function (xhr, textStatus, settings)
{
alert("Error: " + xhr.status + " " + xhr.statusText + " " + xhr.responseText);
}
});
This works as expected and I can also see an Access-Control-Allow-Origin header in the HTTP response to the Ajax request. Notice I'm allowing "Any Origin" in the policy definition.
If, however, I set up CORS like so:
services.AddCors(options =>
{
options.AddPolicy("ScormStorageCors",
builder => builder.WithOrigins(new string[] {"storage.mydomain.com"})
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials());
});
... and I make the same Ajax call, i get a HTTP 200 AND the action executes, succeeds AND sends back a valid and complete response over the wire (verified with Fiddler), BUT it's missing the Access-Control-Allow-Origin header in the HTTP response so the browser won't accept it and the Ajax call ultimately fails.
Am I doing something wrong or is this a bug in the API? Any known workarounds? I really don't want to allow access to my endpoint from outside of my app domains.
Thanks in advance!