question

RM-8234 avatar image
0 Votes"
RM-8234 asked ryanchill answered

How to disable Azure App Service CORS entirely

Hi Team,

I have an ASP.NET Core 5 application with CORS enabled that works as expected locally, but not when hosted in an App Service. It does if I configure the allowed origins on the App Service itself, but by doing so I understand it overrides the application's policy, which isn't desired behaviour as it doesn't allow the same granularity of control we require.

Every literature I could find indicates that if the CORS config in the Azure portal is completely blank then the application would be responsible for handling these requests but that does not seem to be the case currently.

How can I completely disable CORS at the App Service level and let the application handle that itself?

Using resources.azure.com I can confirm that having the "cors" node omitted from the template, or set to the following, makes no difference whatsoever:

         "cors": {
           "allowedOrigins": [],
           "supportCredentials": false
         }

Any help greatly appreciated.

Best regards.

azure-webapps-apis
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ryanchill avatar image
0 Votes"
ryanchill answered

You can use the Azure CLI command az webapp cors remove --allowed-origins to remove CORS. From the portal, search for CORS under your app service and remove any origins that's listed.

81906-image.png


You are correct on the following:

Every literature I could find indicates that if the CORS config in the Azure portal is completely blank then the application would be responsible for handling these requests but that does not seem to be the case currently.

Since you don't have any listed origins, the issue may be something else. I'm assuming you enabled CORS like https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0? Can you elaborate further on the issue you're seeing?

Regards,
Ryan



image.png (228.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.