Search code examples
c#.net-corecorsasp.net-core-webapi

Web Application Cors .NET CORE 3.1 vs 2.1

Recently I have been switching slowly over to .NET CORE 3.1 for everything I do, but when I was trying to port some of my Web Application (Restful API) I ran into issues with Cors.

Code from project running .NET CORE 2.1:

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddPolicy("AllowAnyOrigin",
        builder => builder
            .AllowAnyOrigin()
            .AllowAnyMethod()
            .AllowAnyHeader());
    });

    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}

// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseHsts();
    }

    app.UseCors("AllowAnyOrigin");

    app.UseHttpsRedirection();

    app.UseMvc();
}

Code from project running .NET CORE 3.1:

public void ConfigureServices(IServiceCollection services)
{
    services.AddControllers();

    services.AddCors(options =>
    {
        options.AddPolicy("AllowAnyOrigin",
        builder => builder
            .AllowAnyOrigin()
            .AllowAnyMethod()
            .AllowAnyHeader());
    });

    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_3_0);
}

// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseHsts();
    }

    app.UseCors("AllowAnyOrigin");

    app.UseHttpsRedirection();

    app.UseRouting();

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

When I make a request to the API running 2.1 everything goes as expected, but if I try to make the same request to the API running 3.1 I get a 405 error (Method Not Allowed Error).

Has anyone else run into this issue, if so what is the solution to it?

Solution

  • In your configure method, move:

    app.UseCors("AllowAnyOrigin");

    in between the 

    app.UseRouting();

    and 

    app.UseEndpoints(endpoints =>
{
     endpoints.MapControllers();
});

    There is a warning in the documentation that states the cors middleware must be configured between these two methods or the middleware will stop functioning.

    https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-3.1

    See section labeled "Apply CORS policies to all endpoints"

    Configuring the components in the pipeline is both awesome as it give you control but a huge pain because of ordering constraints, I'm personally waiting for someone to create a VS add-on that will analyze these and throw warnings. Would be a great project if someone was so inclined.