I am trying to enable CORS within my ASP.NET Core API and allow passing cookies from my client application (Angular 6). However, whenever I attempt to hit an endpoint through my Angular application, I am receiving the following error:
Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'
Within my Startup.cs file, I have CORS enabled under ConfigureServices like:
services.AddCors(options =>
{
options.AddPolicy("CorsPolicy",
builder => builder
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials()
.WithOrigins("http://localhost:4200"));
});
and under Configure:
app.UseCors("CorsPolicy");
In my Angular 6 application, I am calling the endpoint with a token like this:
this.http.get<T>(url, { headers: new HttpHeaders({ 'X-XSRF-TOKEN': token}), withCredentials: true });
The error is confusing because I am explicitly setting the allowed origins in .WithOrigins() within my .AddCors function, yet it's still saying there is only a wild card.
If this is hosted on Azure. Check the CORS settings in Azure AppService. The configurations there will override any other Cors configuration even in the .net core middleware.