CORS preflight request doesn't hit IIS until fiddler is working
Yes, it's another CORS question, I have searched for more than three days for this problem trying to understand what is happening.
The sample application found under this repo Sample Application
I'm using ASP.net Core 2.2 hosted in local IIS with Windows Authentication enabled and Anonymous Authentication disabled. configured to allow CORS.
services.AddCors(options => { options.AddPolicy("AllowOrigin", builder => builder .SetIsOriginAllowed(origin => true) .AllowAnyMethod() .AllowAnyHeader() .AllowCredentials() ); });For handling preflight request I have created custom middleware
private Task BeginInvoke(HttpContext context) { if (context.Request.Method == "OPTIONS") { if (!string.IsNullOrEmpty( context.Request.Headers["Origin"]) ) context.Response.Headers.Add("Access-Control-Allow-Origin", new[] { (string)context.Request.Headers["Origin"] }); context.Response.Headers.Add("Access-Control-Allow-Headers", new[] { "foo,Access2, Origin, X-Requested-With, Content-Type, Accept,authentication" }); context.Response.Headers.Add("Access-Control-Allow-Methods", new[] { "GET, POST, PUT, DELETE, OPTIONS" }); context.Response.Headers.Add("Access-Control-Allow-Credentials", new[] { "true" }); context.Response.StatusCode = 200; return Task.CompletedTask; //context.Response.WriteAsync("OK"); } return _next.Invoke(context); //complete request pipline }When I try to send a complex request with a customer header (preflight request) (Request A)
fetch('http://localhost:8050/api/values',{credentials:'include', headers:{'foo':'foo'}}) .then(response => response.json()) .then(data => console.log(data));
I got an error
This how the request be in the fiddler, (for your information this request doesn't reach ASP.Net App and just hit IIS)
- The most interesting thing when activate fiddler then create a simple get request from the browser(chrome) to the endpoint('http://localhost:8050/api/values), It will produce three authentication handshake and succeeded
- => 401
- => 401
- => 200
As shown in fiddler (it's
- Then if I try the complex request (Request A) again (that caused an error the first time) it goes without any problem as two requests
- A preflight request (OPTIONS verb) with the response of 200 (succeded)
- The actual request (GET verb) with the required response of 200 (succeded)
Here the fiddler analysis
My Question
- Why a simple get request (from chrome) while activating fiddler solve all my problem and allow me after that to make any complex CORS request without any error.
- How I can make a complex CORS request without any problem (without needing a fiddler).
Note that I'm thinking in (can be wrong) Fiddler acts as a proxy that deals with the IIS and can make the required authentication handshake after that IIS accept any complex request.
The sample application found under this repo Sample Application
I have found the solution to my problem: as Lex Li suggest it's about the IIS CORS module
CORS in IIS When deploying to IIS, CORS has to run before Windows Authentication if the server isn't configured to allow anonymous access. To support this scenario, the IIS CORS module needs to be installed and configured for the app.
By installing the IIS CORS module from IIS CORS Module
For IIS CORS module documentation IIS CORS documentation
Thanks Lex Li for your support
- I can't make ProblemDetails pattern working every time
- Enable client side validation on disabled select element
- What does Page() method in Razor Pages OnPost method do?
- Why does my ASP.NET Core 5 Razor Page return a 404 on IIS, but not in Visual Studio?
- I want to specify a non-default layout for authentication errors in Blazor
- How to redirect on ASP.Net Core Razor Pages
- ASP.NET Core 404 Error on IIS 10
- My asp.net core app doesn't find favicon.ico when it's deployed to IIS
- How to set up a favicon in ASP.NET Core projects
- How to display images saved in wwwroot in ASP.NET Core projects?
- HTTP Error 500.19 - Internal Server Error (0x8007000d)
- How to update the model when using database first approach
- OIDC authentication in server-side Blazor
- Serilog DI in ASP.NET Core, which ILogger interface to inject?
- Cannot access a disposed object in ASP.NET Core when injecting DbContext
- Azure Maps rejecting Route Request with ZipCode
- Define Serializer options for ToJson() in Entity Framework 7
- is it possible to use Identity EF Core as login/signup on a REST API using nextjs?
- AspNet Core Identity, how set options.Cookie.SameSite?
- How to configure a Razor Pages project to use Identity endpoints in a WebApi project using cookie authentication
- Inconsistencies after Visual Studio Version 17.12.3 with Blazor program Error RZ9991, Error RZ10012
- Why is ASP.NET Core saying my form field is required even if it's not defined as required?
- Passing data from view to controller asp.net core razor pages
- How to define conditional model binding in ASP.NET Core Razor Pages?
- UpdateRange method of Entity Framework Core does not work
- How to dynamically insert strings from code-behind into the asp-for properties of Razor Pages elements
- ASP.NET Core Development Certificates - error exporting the HTTPS developer certificate
- Razor Pages should only listenen to specific route
- EF Core filtered Include not working with Select transformation
- NullReferenceException when trying to render Razor component