-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aspnet 5, mvc 6 CORS #640
Comments
/cc @harshgMSFT any ideas? |
Hi @esyorcho thanks for reporting this. First there are a few things, WithHeaders is used to indicate which Also Content-Type is considered a simple header and there should be no need to pass this on. Can you post the request and response for the original scenario (without WithHeaders modification). Example request:
example response
|
Hi @harshgMSFT thank you very much for your reply. The request and response of the original scenario are these ones: Request: OPTIONS /api/authentication/authenticateuser HTTP/1.1 Response: HTTP/1.1 204 No Content If there is any other info you need please let me know. Cheers |
This is a success case, are you saying this is what you see in chrome but not IE? (the user agent suggests its IE). |
BTW this is the preflight request and response, after this there should have been another request and response which corresponds to the actual request. |
Hi @harshgMSFT Thanks |
your response has it Which version (IE and os) are you using? did you check if you have different rules for intranet and internet sites under security tab? |
Could it be a problem the fact that they are in 2 lines in the response: Access-Control-Allow-Headers: authorization rather than in 1 as in the request?: Access-Control-Request-Headers: authorization, accept, content-type |
AFIK it should not matter a quick way to verify would be remove the authorization header in the request and see if it goes through. |
Yes, removing the authentication header worked. So now I got in request: Access-Control-Request-Headers: accept, content-type and in response there's only: Access-Control-Allow-Headers: content-type (no more Access-Control-Allow-Headers: authorization) And instead of the 2 errors from before: SEC7123: Request header content-type was not present in the Access-Control-Allow-Headers list. Now I get these 2 information messages: SEC7118: XMLHttpRequest for http://localhost:2001/api/authentication/authenticateuser required Cross Origin Resource Sharing (CORS). And it goes through. So it seems that IE doesn't like the response allowed headers in 2 different locations (it worked for Chrome and Firefox). I'll add the content-type header together with the authentication one. Thank you very much for your help, much appreciated. Cheers |
Cool! closing this. |
Hi @harshgMSFT, Access-Control-Allow-Headers: content-type, authorization But no matter what I did, they were being separated in 2 lines. I removed the authorization header from my first call (the login) since I didn't need it anyways, and then it went through (because it only had the content-type header). Somehow post calls within the application that need the authorization header still have the same problem (content-type missing, because it's in the second line and IE can't read it). Could you please tell me if there's a way that you know to make both headers show up in one line? At the moment we're adding the Authorization header this way in js:
and we do our post calls with restangular this way: RestangularFactory.all("search/getFields").post(criteria, ""); In our server api we have all post and get calls with:
If there is any other information that you need please let me know Thank you very much |
@esyorcho Lets move this to the CORS repo. aspnet/CORS#22 |
Hi, sorry I'm new and I don't know if this is the right place to ask this question. If it's not please let me know and I'll move it. I'm having issues trying to setup cors in our application. We have in Startup.cs of our initial RestApi:
It works from "domain1" in Chrome and Firefox, but it doesn't in IE. In IE we get this error:
"Request header content-type was not present in the Access-Control-Allow-Headers list."
If I try to add headers in some way like:
Then the error changes in IE to:
"Origin http://domain1.com not found in Access-Control-Allow-Origin header."
and in Chrome (which worked before):
"No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://domain1' is therefore not allowed access."
Could anyone please tell me the right way to implement both "WithOrigins" and "WithHeaders" using cors in aspnet 5, mvc 6?
Thank you
The text was updated successfully, but these errors were encountered: