How to disable Azure App Service CORS entirely

Question

Hi Team,

I have an ASP.NET Core 5 application with CORS enabled that works as expected locally, but not when hosted in an App Service. It does if I configure the allowed origins on the App Service itself, but by doing so I understand it overrides the application's policy, which isn't desired behaviour as it doesn't allow the same granularity of control we require.

Every literature I could find indicates that if the CORS config in the Azure portal is completely blank then the application would be responsible for handling these requests but that does not seem to be the case currently.

How can I completely disable CORS at the App Service level and let the application handle that itself?

Using resources.azure.com I can confirm that having the "cors" node omitted from the template, or set to the following, makes no difference whatsoever:

        "cors": {
          "allowedOrigins": [],
          "supportCredentials": false
        }

Any help greatly appreciated.

Best regards.

Answer 1

You can use the Azure CLI command az webapp cors remove --allowed-origins to remove CORS. From the portal, search for CORS under your app service and remove any origins that's listed.

You are correct on the following:

Every literature I could find indicates that if the CORS config in the Azure portal is completely blank then the application would be responsible for handling these requests but that does not seem to be the case currently.

Since you don't have any listed origins, the issue may be something else. I'm assuming you enabled CORS like https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-5.0? Can you elaborate further on the issue you're seeing?

Regards,
Ryan