CORS configuration does not work as expected

RomKo 20

Hello!

I am going through the course module "Create a full stack application by using React and minimal API for ASP.NET Core" and this unit describes steps to enable CORS in response to allow client app request data from API - https://learn.microsoft.com/en-us/training/modules/build-web-api-minimal-spa/5-exercise-create-api

I designed the request to talk with the API without proxy and requests are blocked by CORS policy.

I can't understand why and what is wrong, because I believe all is configured properly according to course and documentation.

What am I missing here?

Thanks in advance!

With regards, Roman.

This question is related to the following Learning Module

Pradeep M 3,840 Reputation points Microsoft Vendor

2024-05-15T10:49:49.6666667+00:00

Hi RomKo,

Thank you for reaching out to Microsoft Q & A forum.

We are looking into the issue and will get back to you soon.
Pradeep M 3,840 Reputation points Microsoft Vendor

2024-05-15T11:30:42.5+00:00

Hi RomKo,

Thank you for reaching out to Microsoft Q & A forum.

It's possible that the CORS configuration on our server is not currently set to allow requests from the specific origin of your React front-end application. By default, the CORS policy in place permits requests from a predetermined example origin (http://example.com) and from any origin using the wildcard symbol '*'. This wildcard setting essentially allows requests from all origins for testing purposes. However, in practical scenarios, it's crucial to specify the exact origin of your React application to ensure secure and controlled access.

To address this matter, we recommend the following steps:

1.Confirm Origin: Begin by verifying the origin from which your React application is initiating requests. If it's running locally, it's likely to be "http://localhost:3000".

2.Update CORS Policy: Adjust our CORS policy to explicitly permit requests from the precise origin of your React application. Replace "http://example.com" with the appropriate origin. In the case of local development, "http://localhost:3000" should suffice.

3.Debugging Assistance: For further insights, consider examining the browser's console for detailed error messages related to CORS policy violations. This can provide valuable clues about which origin is encountering blocking issues and why.

4.Server Logs Analysis: Additionally, review the server logs to identify any CORS-related errors or warnings. Sometimes, the logs may contain useful information regarding rejected CORS requests, aiding in the diagnostic process.

By implementing these measures, including updating the CORS policy to accommodate requests from the correct origin and analyzing both browser console and server logs, we anticipate resolving the CORS policy blocking issue efficiently

Please feel free to contact us if you have any additional questions.

If you've found the provided answer helpful, please click the "Accept Answer/Upvote" button. This will be beneficial to other members of the Microsoft Q&A forum community.

Thank you.
RomKo 20 Reputation points

2024-05-15T13:00:03.4733333+00:00

Hi Pradeep,

The issue I am facing is that I prepared everything as it is described in the unit mentioned but when client make requests to the API without using proxy, it is getting error "CORS Missing Allow Origin".

Code copied from the unit materials, except few changes (pasted my local URLs)

Program.cs file (API project)

Pizza.jsx file (Client project)

And screenshot of the browser's window

Also I don't see any CORS headers in the response, like Access-Control-Allow-Origin etc.

And I can't understand what is wrong with the code, I thought it should work right away as provided in the unit.

Thank you!
RomKo 20 Reputation points

2024-05-15T13:21:58.21+00:00

Hi Pradeep, I have added some details in the comment to the post, please check.

Also I have no idea where to look for servrer logs, it is default server when I run "dotnet run" command, I see no errors in it's output.

Thank you.
RomKo 20 Reputation points

2024-05-15T14:58:28.1933333+00:00

I found a way to fix the issue this time by calling .AllowAnyOrigin() instead of .WithOrigins().

But I still don't understand why original code does not work.
RomKo 20 Reputation points

2024-05-15T21:26:29.71+00:00

Hi Pradeep,

that helped! Now it returns ACAO header and client works fine!

Also there are GitHub file https://github.com/MicrosoftDocs/minimal-api-work-with-databases/blob/main/PizzaStore-Cors/Program.cs and unit page https://learn.microsoft.com/en-us/training/modules/build-web-api-minimal-spa/5-exercise-create-api that would be nice to update accordingly so other students won't have this issue

Unfortunatelly I can't mark your last comment as accepted answer because it is a comment. So I have only upvoted it so far.

Thank you very much!
Pradeep M 3,840 Reputation points Microsoft Vendor

2024-05-16T03:09:32.0933333+00:00

Hi RomKo,

I'm pleased to hear that the solution resolved the issue, and your client is now operating smoothly with the returned ACAO header. To ensure future students don't encounter similar problems, I suggest contacting the maintainers or administrators of the GitHub file and unit page to update them accordingly. Thank you for your upvote and for bringing this matter to our attention. Should you have any further inquiries, please don't hesitate to ask

Thank you.

Accepted answer

Pradeep M 3,840 Reputation points Microsoft Vendor

2024-05-15T17:20:22.4433333+00:00
Hi RomKo,

Thank you for reaching out to Microsoft Q & A forum.

Thank you for bringing the issue to our attention. The error message "cors missing allow origin" signals a problem with the Cross-Origin Resource Sharing (CORS) setup in our application. CORS serves as a security measure enforced by web browsers to regulate cross-origin HTTP requests.

Upon investigation, it appears that the CORS policy was not correctly applied, leading to the absence of necessary CORS headers in the response. The issue stems from the inclusion of "" (wildcard) as an allowed origin in the CORS policy. Allowing "" permits requests from any origin, potentially exposing security vulnerabilities and causing errors.

To rectify this, we've adjusted the CORS policy to explicitly define the origins from which we permit requests, such as "[http://example.com]" and "[http://localhost:3000]". This ensures that only requests from these trusted origins are accepted, bolstering the security of our application.

builder.Services.AddCors(options => { options.AddPolicy(name: MyAllowSpecificOrigins, builder => { builder.WithOrigins( "http://example.com", "http://localhost:3000" ) .AllowAnyHeader() .AllowAnyMethod(); }); });

This adjustment should properly enforce the CORS policy, ensuring that the necessary CORS headers, like Access-Control-Allow-Origin, are included in the response. Consequently, this will resolve the "cors missing allow origin" error and restore the proper functionality of our application.

If you have any further questions or concerns, please don't hesitate to reach out. We're here to assist you further.

If you've found the provided answer helpful, please click the "Accept Answer/Upvote" button. This will be beneficial to other members of the Microsoft Q&A forum community.

Thank you.
Please sign in to rate this answer.

1 person found this answer helpful.
RomKo 20 Reputation points

2024-05-16T10:20:01.41+00:00

Hi Pradeep,

I have to add. I was playing with the code again and it looks like these methods did not do the real trick.

First time I tried code from the unit and it did not work:

.WithOrigins( "http://example.com", "*");

So I updated it this way:

.WithOrigins( "http://example.com", "http://localhost:3000/", "*");

And this was not working as well, but when I tried your suggestion it worked because it was not containing slash at the end:

WithOrigins( "http://example.com", "http://localhost:3000", "*");

Also I found out that it works when asterisk provided as the only option:

WithOrigins("*");

Anyway thanks for your suggestion!
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

1 additional answer

Bruce (SqlWork.com) 66,706 Reputation points

2024-05-15T17:59:19.7033333+00:00
you confused the vite proxy port with the core port.

vite proxy: http://localhost:3000

core api: http://localhost:5100

you should have configured the vite proxy to forward any request /pizza => http://localhost:5100

now in your react code you have two ways to call the api.

http://localhost:3000/pizza => via proxy and does not require CORS

http://localhost:5100/pizza => directly call core api requires CORS on port 5100

you picked the second, port 5100, but the api CORS settings were for port 3100.

note: if the intent was to have the api site host the react static pages (and use the proxy feature in dev), then a better api url would have been:

const API_URL = '/pizzas';
Please sign in to rate this answer.
RomKo 20 Reputation points

2024-05-15T21:32:13.91+00:00

Hi Bruce,

no I have not confused that. API works on port 5100 and client site accepts connection on port 3000. They were working fine separatelly but not together.

CORS origins configured fine as well.

As Pradeep mentioned in the comment two calls should be added to fix the issue:

builder.WithOrigins( "http://example.com", "http://localhost:3000" ) .AllowAnyHeader() .AllowAnyMethod();

Now it works fine.

Thank you.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

CORS configuration does not work as expected

1 additional answer

Your answer