Want to allow my API to be accessed from different sites. For this had: <pre class="prettyprint"><code>services .AddCors(options => { options.AddPolicy(PolicyName, builder => { builder .SetIsOriginAllowedToAllowWildcardSubdomains() .WithOrigins( "http://*.my-api.com", "http://*.my-api.service" ) ... </code></pre> This doesn't seem to allow httpS or when I specify the port in the request. Ex.: https://www.my-api.com:3000 Thought could replace the WithOrigins with SetIsOriginAllowed() <pre class="prettyprint"><code>services .AddCors(options => { options.AddPolicy(PolicyName, builder => { builder .SetIsOriginAllowed(IsOriginAllowed) </code></pre> where IsOriginAllowed function is defined as: <pre class="prettyprint"><code>private static bool IsOriginAllowed(string host) { var corsOriginAllowed = new[] { "my-api.com", "my-api.service" }; return corsOriginAllowed.Any(origin => Regex.IsMatch(host, $@"^http(s)?://.*{origin}(:[0-9]+)?$", RegexOptions.IgnoreCase)); } </code></pre> but this doesn't work at all, even the regular expression is returning true when I want. Does anyone know why this doesn't work and can show me the right way to allow httpS (besides duplicating all the domains in WithOrigins() with httpS and different ports. Thanks

SetIsOriginAllowed() does work. Was testing with Postman and as was told, Postman doesn't care about headers returned from the server. It's the browser who enforces the Cors headers. To test properly created a little html page under a test site with below javascript <div class="snippet" data-lang="js" data-hide="false" data-console="true" data-babel="false"> <div class="snippet-code"> <pre class="prettyprint snippet-code-html lang-html prettyprint-override"><code><html> <script> fetch('http://test.com:5000/v2/campaign/hallo3').then(function(response) { return response.json(); }).then(function(j) { alert(JSON.stringify(j)); }); </script> </html></code></pre> </div> </div> when domain is NOT included in the Cors allowed list browser doesn't display the returned values from API <img src="https://i.stack.imgur.com/rdtck.png" alt="Domain not allowed"> After adding test domain to allowed domains list browser display the data and get the content Cors headers <img src="https://i.stack.imgur.com/Ch6YU.png" alt="enter image description here"> Another problem was that with just the SetIsOriginAllowed() server was not sending the 'Vary' header. Had to set both: <pre class="prettyprint"><code>.SetIsOriginAllowed(IsOriginAllowed) .WithOrigins(corsOriginAllowed) </code></pre>

.Net core2 CORS - How SetIsOriginAllowed works?

Want to allow my API to be accessed from different sites. For this had:

services
    .AddCors(options =>
    {
        options.AddPolicy(PolicyName, builder =>
        {
            builder
                .SetIsOriginAllowedToAllowWildcardSubdomains()
                .WithOrigins(
                    "http://*.my-api.com",
                    "http://*.my-api.service"
                )
...

This doesn't seem to allow httpS or when I specify the port in the request.

Ex.: https://www.my-api.com:3000

Thought could replace the WithOrigins with SetIsOriginAllowed()

services
    .AddCors(options =>
    {
        options.AddPolicy(PolicyName, builder =>
        {
            builder
                .SetIsOriginAllowed(IsOriginAllowed)

where IsOriginAllowed function is defined as:

private static bool IsOriginAllowed(string host)
{
    var corsOriginAllowed = new[] { "my-api.com", "my-api.service" };

    return corsOriginAllowed.Any(origin =>
        Regex.IsMatch(host, $@"^http(s)?://.*{origin}(:[0-9]+)?$", RegexOptions.IgnoreCase));
}

but this doesn't work at all, even the regular expression is returning true when I want.

Does anyone know why this doesn't work and can show me the right way to allow httpS (besides duplicating all the domains in WithOrigins() with httpS and different ports.

Thanks

What is SetIsOriginAllowed?

SetIsOriginAllowed() method returns true if an origin is allowed, so always returning true allows any origin to send requests to the api.

How do I allow all CORS in net core?

There are three ways to enable CORS: In middleware using a named policy or default policy. Using endpoint routing. With the [EnableCors] attribute.

SetIsOriginAllowed() does work. Was testing with Postman and as was told, Postman doesn't care about headers returned from the server. It's the browser who enforces the Cors headers.

To test properly created a little html page under a test site with below javascript

<html>
    <script>
        fetch('http://test.com:5000/v2/campaign/hallo3').then(function(response) {
            return response.json();
        }).then(function(j) {            
	        alert(JSON.stringify(j));
        });
    </script>
</html>

when domain is NOT included in the Cors allowed list browser doesn't display the returned values from API

Domain not allowed

After adding test domain to allowed domains list browser display the data and get the content Cors headers

enter image description here

Another problem was that with just the SetIsOriginAllowed() server was not sending the 'Vary' header. Had to set both:

.SetIsOriginAllowed(IsOriginAllowed)
.WithOrigins(corsOriginAllowed)

.Net core2 CORS - How SetIsOriginAllowed works?

Tags:

cors

asp.net-core

Riga

People also ask

1 Answers

Riga

Recent Activity

Donate For Us

.Net core2 CORS - How SetIsOriginAllowed works?

Tags:

cors

asp.net-core

Riga

People also ask

1 Answers

Riga

Related questions

Recent Activity

Donate For Us