XmlHttpRequest Block by CORS – No Access-Control-Allow-Origin

Question

XmlHttpRequest Block by CORS – No Access-Control-Allow-Origin

lesponce 176

I’m calling a backend ASP.NET Core C# API from Angular 13. I’m able to hit the controller, however, when it tries to access an external site it’s getting this error:

Access to XMLHttpRequest at ‘https://anotherdomain.com’ (Redirected from ‘https://localhost:44397/api/Auth/StartProcess from origin ‘https://localhost:44397’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

This is currently happening in my development environment (localhost). Any feedback is greatly appreciated.

// -- Startup Class  
// In configured services method:  
Services.AddCors(options => options.AddPolicy(“Cors”, builder =>  
{  
	builder.AllowAnyMethod();  
               builder.AllowAnyHeader();  
})));  
  
// In Configured method:  
app.UserForwardedHeaders();  
app.UseHttpsRedirection();  
app.UseStaticFiles();  
app.UseRouting();  
app.UseHsts();  
app.UseCors(“Cors”);  
  

//   --  Controller  
[HttpGet]  
[Route(“[action]”)]  
public async Task<IActionResult> StartProcess()  
{  
      var partnerName = “some value”;  
     var returnUrl = “some value”;  
  
      Await _authProvider.InitiateProcessAsync(partnerName, returnUrl)  
      Return new EmptyResult();  
}  
  


//  Home.Service.ts  
Contructor(private _http HttpClient, private _httpErrorHandler: ) { }  
  
public StartProcess() {  
return this.http.get(environment.pages.home.auth.route).subscribe(res =>  
Console.log(“response”, res);  
);  
  
}

Anonymous

2022-12-06T08:26:41.26+00:00

Hi lesponce, the cors policy you set in your api project makes your Angular app to be able to access your api project, but the error message indicates your api project was trying to call another domain.. Could you pls let us know what your code Await _authProvider.InitiateProcessAsync(partnerName, returnUrl) did? Or in other words, if you just return "success" in StartProcess method, will the API be called successfully?
lesponce 176 Reputation points

2022-12-06T14:48:28.42+00:00

Hi tinywan-msft, regarding this line of code Await _authProvider.InitiateProcessAsync(partnerName, returnUrl), it doesn't throw an error. The error happens after that method is complete. So, I don't know if the header need to applied on the external site, which is the one with a different domain.
Lex Li (Microsoft) 6,037 Reputation points Microsoft Employee

2022-12-09T07:23:21.267+00:00

Your sample code does not reveal what is "when it tries to access an external site it’s getting this error". Where is the code for external site access?

2 answers

Your answer

Anonymous

2022-12-06T08:26:41.26+00:00

Hi lesponce, the cors policy you set in your api project makes your Angular app to be able to access your api project, but the error message indicates your api project was trying to call another domain.. Could you pls let us know what your code Await _authProvider.InitiateProcessAsync(partnerName, returnUrl) did? Or in other words, if you just return "success" in StartProcess method, will the API be called successfully?
lesponce 176 Reputation points

2022-12-06T14:48:28.42+00:00

Hi tinywan-msft, regarding this line of code Await _authProvider.InitiateProcessAsync(partnerName, returnUrl), it doesn't throw an error. The error happens after that method is complete. So, I don't know if the header need to applied on the external site, which is the one with a different domain.
Lex Li (Microsoft) 6,037 Reputation points Microsoft Employee

2022-12-09T07:23:21.267+00:00

Your sample code does not reveal what is "when it tries to access an external site it’s getting this error". Where is the code for external site access?

Answer 1

Laxmikant 221

try to set default policy for development environment.
https://geeksarray.com/blog/how-to-setup-cors-policies-in-aspnet-core-web-api

if(builder.Environment.IsDevelopment())  
{  
    builder.Services.AddCors(options =>  
    {  
          
        options.AddDefaultPolicy(  
            policy =>  
            {  
                policy.AllowAnyOrigin()  
                    .AllowAnyHeader()  
                    .AllowAnyMethod();  
            });  
    });  
}

lesponce 176 Reputation points

2022-12-06T15:56:03.99+00:00

Thanks for your response. This approach didn't work.

Answer 2

AgaveJoe 30,126

The HTTP redirect response is returned to the angular application. The HTTP response has a location header that contains a URL. The angular application submits a GET to this URL. If the URL is a different domain and the domain is not configured for CORS then the browser (angular application) will throw a CORS error.

If you cannot enable CORS on the other domain then you'll need to rethink the design and do the HTTP call from Web API not the angular application.

lesponce 176 Reputation points

2022-12-06T16:38:41.133+00:00

The Engineers that manage the other domain are updated CORS so it has Access-Control-Allow-Origin configured. I'll keep you posted. Thanks for your feedback.

Share via

XmlHttpRequest Block by CORS – No Access-Control-Allow-Origin

2 answers

Your answer