[MSDN Redirect] CORS no longer working after recent changes

Question

After the recent changes to how CORS works with Azure (https://learn.microsoft.com/answers/questions/6842/announcement-samesite-cookie-handling-and-net-fram.html) our site is no longer working, and I can't find out why.

The web.config contains the following under customHeaders:-
[Attached web.config] - 2951-webconfig.txt

On the Azure Portal I have enabled CORS with an Allowed Origin of *

The site loads items from subdomains of itself, rather than from other sites (e.g. if the User is logged in to the URL 'bob.website.com' it will load bits from 'x.website.com', 'y.website.com' and 'z.website.com').

It worked on Azure prior to this change, and still works if I publish it to other hosts.

Anyone able to point me to what else I need to do to get this working again please?

[Source] - https://social.msdn.microsoft.com/Forums/en-US/e1b0805a-e589-4b6f-ad03-7584bd15971d/cors-no-longer-working-after-recent-changes?forum=windowsazuremanagement

Answer 1

Apologies for any frustration with this issue! Thanks for raising this good question!

The SameSite changes have nothing to do with CORS - is a different concept from cookie handling. It looks like your site has some dependency on cookie flows across different domains. As you have added web.config settings to suppress the new SameSite defaults for forms authN and session state, kindly use the developer console (F12) on the browser and review to see if there are errors showing up about specific cookies being rejected.
What app framework are you leveraging? .NET Core actually implemented more breaking changes around SameSite than plain old ASP.NET did. Kindly let us know your findings from from the developer console for further investigation.