4,826 questions
CORS only allow exact domain/path list or wildcard * (any)
https://*.myapp.nl is not valid.
You must list all the subdomains.
.NET 5 WEB API - Can't configure CORS with subdomain (or even with the full domain name)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 87%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
Amir Dar
1
Reputation point
I'm having a problem with configuring CORS in our web API project.
in Startup.cs we have the following configuration:
protected override void ConfigureApplication(IApplicationBuilder app, IWebHostEnvironment env, IHostApplicationLifetime appLifetime)
{
base.ConfigureApplication(app, env, appLifetime);
app.UseCors();
// ....
}
public override void ConfigureServices(IServiceCollection services)
{
// ...
this.ConfigureCrossOrigin(services);
// ...
}
private void ConfigureCrossOrigin(IServiceCollection services)
{
string[] allowedOrigin = new string[]
{
"https://dev-XX.myapp.nl/",
"https://*.myapp.nl/"
};
services.AddCors(options =>
options.AddDefaultPolicy(builder =>
builder
.SetIsOriginAllowedToAllowWildcardSubdomains()
.WithOrigins(allowedOrigin)
.AllowCredentials()
.AllowAnyMethod()
.AllowAnyHeader()));
}
Now, we have a client website that URL is https://dev-XX.myapp.nl/
and our server (API) is running at https://dev-api.myapp.nl/
so, for example, when the client site wants to perform a login it will send a POST request to https://dev-api.myapp.nl/api/login
The problem is that no matter what variation I put in the allowedOrigins I get a CORS error I tried:
"https://*.myapp.nl/" , "https://*-XX.myapp.nl/", "https://dev-XX.myapp.nl/"
nothing seems to work!
By the way, we have a "development" mode that allows all origins to send requests to the API and we configure it as follows:
private void ConfigureCrossOrigin(IServiceCollection services)
{
string[] allowedOrigin = new string[]
{
"https://dev-XX.myapp.nl/",
"https://*.myapp.nl/"
};
services.AddCors(options =>
options.AddDefaultPolicy(builder =>
builder
.SetIsOriginAllowed(_ => true)
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials()));
}
This works just fine but I don't want to allow such a thing in production
So, how do I achieve using CORS with a subdomain?
edit: I forgot to mention that since we are using http-only cookies we must configure the AllowCredentials function
thanks!
Developer technologies | ASP.NET | ASP.NET Core
{count} votes
-
AgaveJoe 30,126 Reputation points2022-11-28T12:18:43.373+00:00 Remove the trailing slash.
string[] allowedOrigin = new string[] { "https://dev-XX.myapp.nl", "https://*.myapp.nl" };Reference documentation
Sign in to comment
1 answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bruce (SqlWork.com) 78,006 Reputation points Volunteer Moderator2022-11-28T16:14:26.123+00:00 -
Amir Dar 1 Reputation point
2022-11-28T17:04:21.763+00:00 Not sure you are correct since there is
SetIsOriginAllowedToAllowWildcardSubdomains()and according to MSDN: setisoriginallowedtoallowwildcardsubdomains
-
Bruce (SqlWork.com) 78,006 Reputation points Volunteer Moderator
2022-11-28T18:25:08.357+00:00 the W3C spec does not allow wildcards in a orgin uri list item. it is either null, a valid uri domain spec, or "*".
https://www.w3.org/TR/2020/SPSD-cors-20200602/
note: CORS explicitly does not support sub-domains
Sign in to comment -