Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Core 2.1 refuses to respond with Access-Control-Expose-Headers: *

I must be doing something wrong here but I can't figure it out; it seems to be a CORS issue from what I can tell. I need to expose Access-Control-Expose-Headers: * to any origin but dotnet core 2.1 isn't doing what I expect.

Relevant Startup.cs code:

        public void ConfigureServices(IServiceCollection services)         {             //Mapping settings to POCO and registering with container             var settings = new AppSettings.ReportStorageAccountSettings();             Configuration.Bind(nameof(AppSettings.ReportStorageAccountSettings), settings);              services.AddCors(options =>             {                 options.AddPolicy("AllowAll",                     builder =>                     {                         builder                             .AllowAnyHeader()                             .AllowAnyMethod()                             .AllowAnyOrigin()                             .AllowCredentials();                     });             });             services.AddSingleton(settings);             services.AddApiVersioning();             services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);         }          // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.         public void Configure(IApplicationBuilder app, IHostingEnvironment env)         {             if (env.IsDevelopment())             {                 app.UseDeveloperExceptionPage();             }             else             {                 app.UseHsts();             }              app.UseCors("AllowAll");             app.UseHttpsRedirection();             app.UseMvc();         } 

This application is hosted in Azure and I have added a * entry to the CORS settings in Azure just for good measure. Now, whenever the client application (which is also hosted in Azure) makes a post request, the headers are not accessible via JS and Access-Control-Expose-Headers: * is not present in the response. However, I can see the headers when I inspect the network response and when using Fiddler. I have tried Axios and Jquery for accessing the headers to rule out any issues with the JS. What am I doing wrong here?

In the controller I respond with:

 Response.Headers.Add("Location", $"api/someLocation");  return StatusCode(StatusCodes.Status202Accepted); 
like image 430
S1r-Lanzelot Avatar asked Sep 14 '18 13:09

S1r-Lanzelot


People also ask

What is Access Control expose headers?

The Access-Control-Expose-Headers response header allows a server to indicate which response headers should be made available to scripts running in the browser, in response to a cross-origin request. Only the CORS-safelisted response headers are exposed by default.


Video Answer


1 Answers

The CorsPolicyBuilder's AllowAnyHeader method configures the Access-Control-Allow-Headers response header, which is used only for preflighted requests. The Access-Control-Expose-Headers response header is what's needed, which is configured using WithExposedHeaders.

Here's a complete example:

services.AddCors(options => {     options.AddPolicy("AllowAll", builder =>     {         builder.AllowAnyHeader()                .AllowAnyMethod()                .AllowAnyOrigin()                .AllowCredentials()                .WithExposedHeaders("Location"); // params string[]     }); }); 
like image 171
Kirk Larkin Avatar answered Oct 21 '22 12:10

Kirk Larkin