CORS asp.net core webapi - missing Access-Control-Allow-Origin header

Question

I have ASP.net WebApi Core with CORS enabled. It is Visual studio ASP.net Core Web API template. The only code added is code for CORS support:

public void ConfigureServices(IServiceCollection services)
        {
            services.Configure<CookiePolicyOptions>(options =>
            {
                // This lambda determines whether user consent for non-essential cookies is needed for a given request.
                options.CheckConsentNeeded = context => true;
                options.MinimumSameSitePolicy = SameSiteMode.None;
            });

            services.AddCors();

            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
       /*  other stuff   */

        app.UseCors(builder => builder
            .WithOrigins("https://localhost:44310")
            .AllowAnyMethod()
            .AllowAnyHeader());

        app.UseMvc();
    }
        }

My API is hosted on localhost:44361 and mycalling WEB on localhost:44310. There are different ports, so my request comes from different origin. Thats why there should be header Access-Control-Allow-Origin in response. It is missing and I see error in browser console:

Access to fetch at 'https://localhost:44361/api/values' 
from origin 'https://localhost:44310' has been blocked by CORS policy: 
No 'Access-Control-Allow-Origin' header is present on the requested resource.
If an opaque response serves your needs, set the request's mode to 'no-cors'
to fetch the resource with CORS disabled.

Where is the problem?

Request headers:

GET https://localhost:44361/api/values HTTP/1.1
Host: localhost:44361
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Origin: https://localhost:44310
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
Accept: */*
Referer: https://localhost:44310/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

Response headers:

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/10.0
X-SourceFiles: =?UTF-8?B?RDpcRGV2ZWxvcG1lbnRcQyNfcHJvZ3JhbW1pbmdcU0FNUExFU1xDb3JzQXBpU2ltdWxhdG9yXENvcmVBcGlcYXBpXHZhbHVlcw==?=
X-Powered-By: ASP.NET
Date: Thu, 16 May 2019 08:37:54 GMT

Answer 1

This can occur if you have

app.UseHttpsRedirection();

in Startup.Configure and your development https certificate is not trusted by the browser. A call on the http endpoint will redirect to https which will then fail and return an error complaining about CORS headers.

Very frustrating to debug. Lost a morning to that one.

Answer 2

can you try this one,

  services.AddCors(options =>
        {
            options.AddPolicy("CorsPolicy",
                builder => builder
                    .AllowAnyMethod()
                    .AllowCredentials()
                    .SetIsOriginAllowed((host) => true)
                    .AllowAnyHeader());
        });

and use it

app.UseCors("CorsPolicy");

this code for any origins. I just had something like that , when i was using cors directly in app.UseCors() i had problem, then i tried this and it worked. ps dont use app.UseCors() after app.UseMvc()

Answer 3

This might occur because of a server-side error in which case the response headers gets cleared, clearing the CORS response headers as well. Try enabling exceptions and debug your application to find the error.

See also: asp net core - No 'Access-Control-Allow-Origin' header is present on the requested resource.