Search code examples
c#asp.net-coreiiscorsplesk

CORS issue only on PUT on .NET5

I'm getting Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://mysiteapi.domain.com/api/v1.0/operations/1. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). when trying to do a PUT request to my .NET5 WebAPI.

These are the methods I've added CORS to the API:

        public static void AddCustomCors(this IServiceCollection services, IWebHostEnvironment env, IConfiguration config)
        {
            var cors = config.GetSection("Cors").Get<CorsSettings>();
            if (!cors.Enabled)
            {
                return;
            }

            services.AddCors(options =>
            {
                options.AddPolicy("Default",
                    builder =>
                    {
                        builder.WithExposedHeaders(cors.ExposedHeaders)
                            .WithHeaders(cors.Headers)
                            .WithMethods(cors.Methods);
                            .WithOrigins(cors.Origins);

                    });
            });
        }

        public static void UseCustomCors(this IApplicationBuilder app, IConfiguration config)
        {
            var cors = config.GetSection("Cors").Get<CorsSettings>();
            if (cors.Enabled)
            {
                app.UseCors("Default");
            }
        }

They are called in Startup.cs as the first methods in ConfigureServices and Configure respectively. The settings look like this:

  "Cors": {
    "Enabled": true,
    "Origins": [ "http://mysite.domain.com" ],
    "ExposedHeaders": [ "X-Request-Id", "X-Request-Duration" ],
    "Headers": [ "Content-Type", "Authorization", "X-Requested-With" ],
    "Methods": [ "OPTIONS", "GET", "POST", "PUT", "DELETE" ]
  }

GET requests work but not PUT. Checking the Network browser tab I see that the OPTIONS request is ok and I can see my settings being added but in the PUT request they are missing. The OPTIONS request and response:

OPTIONS /api/v1.0/operations/1 HTTP/2
Host: mysiteapi.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: authorization,content-type
Referer: https://mysite.domain.com/operation/edit/1
Origin: https://mysite.domain.com
Connection: keep-alive
TE: Trailers


HTTP/2 204 No Content
server: Microsoft-IIS/10.0
access-control-allow-origin: https://mysite.domain.com
access-control-allow-headers: Content-Type,Authorization,X-Requested-With,Origin
access-control-allow-methods: OPTIONS,GET,POST,PUT,DELETE
x-powered-by: ASP.NET
x-powered-by-plesk: PleskWin
date: Thu, 28 Jan 2021 16:21:49 GMT
X-Firefox-Spdy: h2

The PUT request and response:

PUT /api/v1.0/operations/1 HTTP/2
Host: mysiteapi.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Bearer <token>
Content-Type: application/json
Content-Length: 353
Origin: https://mysite.domain.com
Connection: keep-alive
Referer: https://mysite.domain.com/operation/edit/1
TE: Trailers

HTTP/2 405 Method Not Allowed
allow: GET, HEAD, OPTIONS, TRACE
content-type: text/html
server: Microsoft-IIS/10.0
x-powered-by: ASP.NET
x-powered-by-plesk: PleskWin
date: Thu, 28 Jan 2021 16:21:49 GMT
content-length: 12591
X-Firefox-Spdy: h2

The API is on a web host running in IIS in Plesk 18.0.32. The web.config is as follows:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
      <handlers>
        <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
      </handlers>
      <aspNetCore processPath="dotnet" arguments=".\MySite.WebApi.dll" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" hostingModel="InProcess" />
    </system.webServer>
  </location>

  </system.webServer>
  <system.web>
    <compilation tempDirectory="C:\Inetpub\vhosts\mysite.com\tmp" />
    <customErrors mode="Off" />
  </system.web>
</configuration>

I suspected this was a problem with the web.config so I've tried:

  1. adding the Access-Control-Allow-Origin as a custom header in web.config - this resulted in an error because they were being added twice
  2. removing the CORS stuff from the API and having them added only from web.config - resulted in errors about the preflight request
  3. removing the header through web.config and then adding it - resulted in an error (preflight I think)
  4. adding the configuration from https://learn.microsoft.com/en-us/iis/extensions/cors-module/cors-module-configuration-reference to the web.config - also resulted in an error

Has anyone else encountered this problem?

Solution

  • Include this inside the <system.webServer> xml just before <handlers> in web.config to remove webdav which might have disabled PUT requests.

    <modules> 
    <remove name="WebDAVModule" /> 
</modules>