This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 87%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
I'm having a problem with configuring CORS in our web API project.
in Startup.cs we have the following configuration:
protected override void ConfigureApplication(IApplicationBuilder app, IWebHostEnvironment env, IHostApplicationLifetime appLifetime)
{
base.ConfigureApplication(app, env, appLifetime);
app.UseCors();
// ....
}
public override void ConfigureServices(IServiceCollection services)
{
// ...
this.ConfigureCrossOrigin(services);
// ...
}
private void ConfigureCrossOrigin(IServiceCollection services)
{
string[] allowedOrigin = new string[]
{
"https://dev-XX.myapp.nl/",
"https://*.myapp.nl/"
};
services.AddCors(options =>
options.AddDefaultPolicy(builder =>
builder
.SetIsOriginAllowedToAllowWildcardSubdomains()
.WithOrigins(allowedOrigin)
.AllowCredentials()
.AllowAnyMethod()
.AllowAnyHeader()));
}
Now, we have a client website that URL is https://dev-XX.myapp.nl/
and our server (API) is running at https://dev-api.myapp.nl/
so, for example, when the client site wants to perform a login it will send a POST request to https://dev-api.myapp.nl/api/login
The problem is that no matter what variation I put in the allowedOrigins I get a CORS error I tried:
"https://*.myapp.nl/" , "https://*-XX.myapp.nl/", "https://dev-XX.myapp.nl/"
nothing seems to work!
By the way, we have a "development" mode that allows all origins to send requests to the API and we configure it as follows:
private void ConfigureCrossOrigin(IServiceCollection services)
{
string[] allowedOrigin = new string[]
{
"https://dev-XX.myapp.nl/",
"https://*.myapp.nl/"
};
services.AddCors(options =>
options.AddDefaultPolicy(builder =>
builder
.SetIsOriginAllowed(_ => true)
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials()));
}
This works just fine but I don't want to allow such a thing in production
So, how do I achieve using CORS with a subdomain?
edit: I forgot to mention that since we are using http-only cookies we must configure the AllowCredentials function
thanks!
Remove the trailing slash.
string[] allowedOrigin = new string[]
{
"https://dev-XX.myapp.nl",
"https://*.myapp.nl"
};
Reference documentation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
CORS only allow exact domain/path list or wildcard * (any)
https://*.myapp.nl is not valid.
You must list all the subdomains.
Not sure you are correct since there is SetIsOriginAllowedToAllowWildcardSubdomains()
and according to MSDN: setisoriginallowedtoallowwildcardsubdomains
the W3C spec does not allow wildcards in a orgin uri list item. it is either null, a valid uri domain spec, or "*".
https://www.w3.org/TR/2020/SPSD-cors-20200602/
note: CORS explicitly does not support sub-domains