aspnet 5, mvc 6 CORS

[esyorcho]

Hi, sorry I'm new and I don't know if this is the right place to ask this question. If it's not please let me know and I'll move it. I'm having issues trying to setup cors in our application. We have in Startup.cs of our initial RestApi:

    public void Configure(IApplicationBuilder app)
    {
        app.UseCors(policy => policy.WithOrigins("http://domain1.com", "http://localhost:2025").AllowAnyMethod().AllowAnyHeader().AllowCredentials());
        app.UseMvc();
        ...

It works from "domain1" in Chrome and Firefox, but it doesn't in IE. In IE we get this error:

"Request header content-type was not present in the Access-Control-Allow-Headers list."

If I try to add headers in some way like:

        app.UseCors(policy => policy
            .WithOrigins("http://domain1.com", "http://localhost:2025")
            .AllowAnyMethod()
            .WithHeaders("Access-Control-Allow-Origin, Content-Type, x-xsrf-token, Authorization")
            .AllowCredentials());

Then the error changes in IE to:

"Origin http://domain1.com not found in Access-Control-Allow-Origin header."

and in Chrome (which worked before):

"No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://domain1' is therefore not allowed access."

Could anyone please tell me the right way to implement both "WithOrigins" and "WithHeaders" using cors in aspnet 5, mvc 6?

Thank you

[davidfowl]

/cc @harshgMSFT any ideas?

[harshgMSFT]

Hi @esyorcho thanks for reporting this.

First there are a few things, WithHeaders is used to indicate which Request headers should be allowed and not the Response headers, so you should never mention Access-Control-Allow-Origin which is a response header. Also any custom header on the request that you are making should be added in the following format. Access-Control-Request-Headers: content-type

Also Content-Type is considered a simple header and there should be no need to pass this on.
Are you doing a POST or a GET ?
I tried your exact scenario and the issue you report did not repro for me (as you can see the sample response has everything). With IE if you are accessing outside your intranet, there are security settings that might be playing the spoiler (just a wild guess).

Can you post the request and response for the original scenario (without WithHeaders modification).

Example request:

OPTIONS http://domain2.com/cors2/Home/Index HTTP/1.1
Accept: */*
Origin: http://domain1.com
Access-Control-Request-Method: GET
Access-Control-Request-Headers: content-type
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: domain2.com
Content-Length: 0
DNT: 1
Connection: Keep-Alive
Pragma: no-cache

example response

HTTP/1.1 204 No Content
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: http://domain1.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type
X-Powered-By: ASP.NET

[esyorcho]

Hi @harshgMSFT thank you very much for your reply. The request and response of the original scenario are these ones:

Request: OPTIONS /api/authentication/authenticateuser HTTP/1.1
Accept: /
Origin: http://domain1.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization, accept, content-type
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: localhost:2001
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

Response: HTTP/1.1 204 No Content
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: http://domain1.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: authorization
Access-Control-Allow-Headers: content-type
X-SourceFiles: ***
X-Powered-By: ASP.NET

If there is any other info you need please let me know.

Cheers

[harshgMSFT]

This is a success case, are you saying this is what you see in chrome but not IE? (the user agent suggests its IE).

[harshgMSFT]

BTW this is the preflight request and response, after this there should have been another request and response which corresponds to the actual request.

[esyorcho]

Hi @harshgMSFT
This is in IE. In the console I can see the errors:
SEC7123: Request header content-type was not present in the Access-Control-Allow-Headers list.
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.
Then I can see in network tab:
http://localhost:2001/api/authentication/authenticateuser HTTP OPTIONS (Aborted) 492 B 16 ms CORS Preflight

Thanks

[harshgMSFT]

your response has it
Access-Control-Allow-Headers: content-type,

Which version (IE and os) are you using? did you check if you have different rules for intranet and internet sites under security tab?

[esyorcho]

Could it be a problem the fact that they are in 2 lines in the response:

Access-Control-Allow-Headers: authorization
Access-Control-Allow-Headers: content-type

rather than in 1 as in the request?:

Access-Control-Request-Headers: authorization, accept, content-type

[harshgMSFT]

AFIK it should not matter a quick way to verify would be remove the authorization header in the request and see if it goes through.

[esyorcho]

Yes, removing the authentication header worked. So now I got in request:

Access-Control-Request-Headers: accept, content-type

and in response there's only:

Access-Control-Allow-Headers: content-type

(no more Access-Control-Allow-Headers: authorization)

And instead of the 2 errors from before:

SEC7123: Request header content-type was not present in the Access-Control-Allow-Headers list.
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

Now I get these 2 information messages:

SEC7118: XMLHttpRequest for http://localhost:2001/api/authentication/authenticateuser required Cross Origin Resource Sharing (CORS).
SEC7119: XMLHttpRequest for http://localhost:2001/api/authentication/authenticateuser required CORS preflight.

And it goes through. So it seems that IE doesn't like the response allowed headers in 2 different locations (it worked for Chrome and Firefox). I'll add the content-type header together with the authentication one.

Thank you very much for your help, much appreciated.

Cheers

[harshgMSFT]

Cool! closing this.

[esyorcho]

Hi @harshgMSFT,
Thank you for your help before, and please if you need me to I'll move this question to another thread (or wherever you tell me) if it's not the right place.
I've been trying to "tie" both headers together (authentication and content-type), so that they show up in one line like:

Access-Control-Allow-Headers: content-type, authorization

But no matter what I did, they were being separated in 2 lines. I removed the authorization header from my first call (the login) since I didn't need it anyways, and then it went through (because it only had the content-type header). Somehow post calls within the application that need the authorization header still have the same problem (content-type missing, because it's in the second line and IE can't read it). Could you please tell me if there's a way that you know to make both headers show up in one line? At the moment we're adding the Authorization header this way in js:

                // add authentication header:
                var authHeader = "";//"basic ";
                authHeader += this.get("token") ? JSON.stringify(this.get("token")) : null;
                return {
                    headers: _.extend(headers, { Authorization: authHeader })
                };

and we do our post calls with restangular this way:

RestangularFactory.all("search/getFields").post(criteria, "");

In our server api we have all post and get calls with:

    [Produces("application/json")]
    [HttpPost]
    public string GetFields([FromBody]CriteriaInputData criteria)
    {
        return ...
    }

If there is any other information that you need please let me know

Thank you very much

[harshgMSFT]

@Tratcher @HaoK any ideas folks?

[harshgMSFT]

@esyorcho Lets move this to the CORS repo. aspnet/CORS#22