I must be doing something wrong here but I can't figure it out; it seems to be a CORS issue from what I can tell. I need to expose Access-Control-Expose-Headers: *
to any origin but dotnet core 2.1 isn't doing what I expect.
Relevant Startup.cs code:
public void ConfigureServices(IServiceCollection services) { //Mapping settings to POCO and registering with container var settings = new AppSettings.ReportStorageAccountSettings(); Configuration.Bind(nameof(AppSettings.ReportStorageAccountSettings), settings); services.AddCors(options => { options.AddPolicy("AllowAll", builder => { builder .AllowAnyHeader() .AllowAnyMethod() .AllowAnyOrigin() .AllowCredentials(); }); }); services.AddSingleton(settings); services.AddApiVersioning(); services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1); } // This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IHostingEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } else { app.UseHsts(); } app.UseCors("AllowAll"); app.UseHttpsRedirection(); app.UseMvc(); }
This application is hosted in Azure and I have added a *
entry to the CORS settings in Azure just for good measure. Now, whenever the client application (which is also hosted in Azure) makes a post request, the headers are not accessible via JS and Access-Control-Expose-Headers: *
is not present in the response. However, I can see the headers when I inspect the network response and when using Fiddler. I have tried Axios and Jquery for accessing the headers to rule out any issues with the JS. What am I doing wrong here?
In the controller I respond with:
Response.Headers.Add("Location", $"api/someLocation"); return StatusCode(StatusCodes.Status202Accepted);
The Access-Control-Expose-Headers response header allows a server to indicate which response headers should be made available to scripts running in the browser, in response to a cross-origin request. Only the CORS-safelisted response headers are exposed by default.
The CorsPolicyBuilder
's AllowAnyHeader
method configures the Access-Control-Allow-Headers
response header, which is used only for preflighted requests. The Access-Control-Expose-Headers
response header is what's needed, which is configured using WithExposedHeaders
.
Here's a complete example:
services.AddCors(options => { options.AddPolicy("AllowAll", builder => { builder.AllowAnyHeader() .AllowAnyMethod() .AllowAnyOrigin() .AllowCredentials() .WithExposedHeaders("Location"); // params string[] }); });
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With