I have a bunch of different versions of the same ASP.NET Core app. My workstation has MSVS 2019. My DEV and PROD servers are Windows Server 2012/IIS7.
The app has been around for years. It's NOT doing anything to explicitly enable CORS. It's NOT calling Services.AddCors(), app.UseCors(), policy.WithOrigins(), [EnableCors] or anything like that.
Most of the time, it "just works".
But SOMETIMES (like now), I get a CORS error trying to access FontAwesome when I run in the MSVS 2019 debugger:
Chrome developer tools console:
Access to CSS stylesheet at 'https://use.fontawesome.com/releases/v5.7.0/css/all.css' from origin 'https://localhost:44342' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
When the problem occurs, it's ONLY on my workstation in the MSVS 2019 debugger (iiexpress). It NEVER occurs on any of the PROD or DEV servers.
The baffling part is that - as far as I can tell - "nothing changed". My projects all worked yesterday. But they're all getting the CORS error on FA CSS today. And the remote IIS servers ... running the same app ... work fine ... in the same browser!
Here's the header from one of the "bad" pages:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.0/umd/popper.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.5.0/js/bootstrap.min.js"></script>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.0/css/all.css" integrity="sha384-lZN37f5QGtY3VHgisS14W3ExzMWZxybE1SJSEsQp9S+oqd12jhcu+A56Ebc1zFSJ" crossorigin="anonymous">
<script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.24.0/moment.min.js" integrity="sha256-4iQZ6BVL4qNKlQ27TExEhBN1HFPvAvAMbFavKKosSWQ=" crossorigin="anonymous"></script>
<script src="https://unpkg.com/[email protected]/js/gijgo.min.js" type="text/javascript"></script>
<link href="https://unpkg.com/[email protected]/css/gijgo.min.css" rel="stylesheet" type="text/css" />
<script src="https://cdn.datatables.net/1.10.21/js/jquery.dataTables.min.js"></script>
<script src="https://cdn.datatables.net/1.10.21/js/dataTables.bootstrap4.min.js"></script>
<script src="https://cdn.datatables.net/plug-ins/1.10.25/sorting/datetime-moment.js"></script>
<link href="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.4.1/css/bootstrap.css" rel="stylesheet" type="text/css" />
<link href="https://cdn.datatables.net/1.10.21/css/dataTables.bootstrap4.min.css" rel="stylesheet" type="text/css" />
</head>
I DON'T want to modify the app (if I can avoid it), simply because I don't want to risk breaking code that's been around "forever".
I'd LOVE to figure out what could possibly be changing in my workstation's environment, so I can "fix" it.
Or maybe I can just use a different link to FontAwesome?
Q: Any suggestions?
The crossorigin="anonymous"
in the <link>
element causes the browser to load the stylesheet with a CORS request. Without that attribute, stylesheets can be loaded from any origin without CORS.
Perhaps removing the attribute is a workaround for you, because fontawesome.com
really seems to sporadically omit the Access-Control-Allow-Origin
header in CORS requests (and also the Content-Type
header). I could not find a pattern in this.