Core 2.1 refuses to respond with Access-Control-Expose-Headers: *

Question

I must be doing something wrong here but I can't figure it out; it seems to be a CORS issue from what I can tell. I need to expose Access-Control-Expose-Headers: * to any origin but dotnet core 2.1 isn't doing what I expect.

Relevant Startup.cs code:

        public void ConfigureServices(IServiceCollection services)         {             //Mapping settings to POCO and registering with container             var settings = new AppSettings.ReportStorageAccountSettings();             Configuration.Bind(nameof(AppSettings.ReportStorageAccountSettings), settings);              services.AddCors(options =>             {                 options.AddPolicy("AllowAll",                     builder =>                     {                         builder                             .AllowAnyHeader()                             .AllowAnyMethod()                             .AllowAnyOrigin()                             .AllowCredentials();                     });             });             services.AddSingleton(settings);             services.AddApiVersioning();             services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);         }          // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.         public void Configure(IApplicationBuilder app, IHostingEnvironment env)         {             if (env.IsDevelopment())             {                 app.UseDeveloperExceptionPage();             }             else             {                 app.UseHsts();             }              app.UseCors("AllowAll");             app.UseHttpsRedirection();             app.UseMvc();         } 

This application is hosted in Azure and I have added a * entry to the CORS settings in Azure just for good measure. Now, whenever the client application (which is also hosted in Azure) makes a post request, the headers are not accessible via JS and Access-Control-Expose-Headers: * is not present in the response. However, I can see the headers when I inspect the network response and when using Fiddler. I have tried Axios and Jquery for accessing the headers to rule out any issues with the JS. What am I doing wrong here?

In the controller I respond with:

 Response.Headers.Add("Location", $"api/someLocation");  return StatusCode(StatusCodes.Status202Accepted); 

Answer 1

The CorsPolicyBuilder's AllowAnyHeader method configures the Access-Control-Allow-Headers response header, which is used only for preflighted requests. The Access-Control-Expose-Headers response header is what's needed, which is configured using WithExposedHeaders.

Here's a complete example:

services.AddCors(options => {     options.AddPolicy("AllowAll", builder =>     {         builder.AllowAnyHeader()                .AllowAnyMethod()                .AllowAnyOrigin()                .AllowCredentials()                .WithExposedHeaders("Location"); // params string[]     }); });