Search code examples
asp.netasp.net-mvcasp.net-mvc-4azurecors

After upgrade to asp.net 5.2.3, CORS isn't working for "*" origins


I have a project using web api and one using asp.net mvc. They are configured using CORS module.

The project using Web Api is configured to allow any origin because it's deployed on Azure and it's an OData endpoint, so we don't know who is going to consume it.

OData endpoint configuration

// inside configuration
config.EnableCors();

// controllers
[EnableCors(origins: "*", headers: "*", methods: "*")]
[Authorize]
[HttpPost]
public void ...

From my MVC client, using Angular $http we issue an authenticated request using Bearer token which looks like this one:

Request sent

Request URL:http://myodata.com/Products
Request Method:GET
Status Code:200 OK
Remote Address:123.123.123.123

And this is the header sent

Host: myodata.com
Authorization: bearer 123-ABC
Origin: http://myclient.com
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
Referer: http://myclient.com/

The problem lays in the response as you can see here:

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *

Because after we upgraded from 5.2.2 to 5.2.3 the CORS module is sending out Access-Control-Allow-Origin: *

And clearly, from the browser, we get this error:

XMLHttpRequest cannot load http://myodata.com/Products. 
The value of the 'Access-Control-Allow-Origin' header 
in the response must not be the wildcard '*' 
when the request's credentials mode is 'include'. 
Origin 'http://myclient.com' is therefore not allowed access. 
The credentials mode of requests initiated by the XMLHttpRequest 
is controlled by the withCredentials attribute.

But the call succeed actually, it bombs on the Angular side. We didn't have this issue until today, after we upgraded from 5.2.2 to 5.2.3


Solution

  • One thing to try is setting the header using the URL Rewrite Module, by adding the following to your Web.config or ApplicationHost.config file in %SystemDrive%\inetpub\wwwroot\.

    <configuration> 
        <system.webServer> 
            <rewrite> 
                <outboundRules> 
                    <rule name="Make Access-Control-Allow-Origin echo Origin"> 
                        <match serverVariable="RESPONSE_Access-Control-Allow-Origin"
                               pattern=".+" negate="true" /> 
                        <action type="Rewrite" value="{HTTP_ORIGIN}" /> 
                    </rule> 
                </outboundRules> 
            </rewrite> 
        </system.webServer> 
    </configuration>
    

    If the above doesn’t work, then you can try the version in the answer over at CORS in IIS issue with credentials and wildcard in Access-Control-Allow-Origin.

    Another approach: in the global.asax or other code for your service, add something like:

    if (ValidateRequest()) {
        Response.Headers.Remove("Access-Control-Allow-Origin");
        Response.AddHeader("Access-Control-Allow-Origin", Request.Headers["origin"]);
        Response.Headers.Remove("Access-Control-Allow-Credentials");
        Response.AddHeader("Access-Control-Allow-Credentials", "true");
        Response.Headers.Remove("Access-Control-Allow-Methods");
        Response.AddHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
    }
    

    ...the most important part of that being this:

    Response.AddHeader("Access-Control-Allow-Origin", Request.Headers["origin"]);
    

    In either case the end effect should be: your backend takes the value of the Origin request header and echoes it back as the Access-Control-Allow-Origin response-header value.