Disable CORS middleware of Azure app service

Asked 11/8, 2017 at 6:29 Answered 11/7, 2022 at 17:28

azure cors asp.net-core-webapi azure-app-service-envrmnt

I wrote some code to handle CORS into my Web Api(.Net Core). These code perfectly works on my local and test server(Azure app service) but it is not working on production(Azure app service). It gives error-

XMLHttpRequest cannot load http://myapiproduction.co/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://myuidashboard.co' is therefore not allowed access.

I gave correct allowed origin url in appsettings.Production.json. I removed all value (*) from CORS section of Azure app service(Production env).

When we removed every thing from CORS section of app service then our code logic should work because at a time only one middleware will work either app service's CORS middleware or our Web Api code logic.

Web Api (Startup.cs)-

var allowedOriginsArr = Configuration["AppSettings:AllowedOrigins"].Split(','); //Example- "http://myuidashboard.co"
services.AddCors(options =>
{
  options.AddPolicy("AllowAllCorsPolicy",
    builder => builder.WithOrigins(allowedOriginsArr)
               .WithMethods("GET", "POST", "PATCH", "PUT", "DELETE", "OPTIONS")
               .AllowAnyHeader()
               .WithExposedHeaders("X-Auth-Token")
               .AllowCredentials());
});

So, my question is - Is there any other setting i have to do to disable CORS middleware of Azure app service? I want to control CORS completely by code (Api logic).

Dessiatine answered 11/8, 2017 at 6:29 Comment(3)

Make sure your environment variable is set to access appsettings.production.json. – Pasteurize 14/8, 2017 at 2:17

If it worked in test Azure, but not in prod Azure? Sounds like those resources are configured differently. Ignore the GUI, look at the data. Compare the ARM templates for both resources. Study the differences. Do either of them have anything in the CORS section? If prod has a CORS section, remove it and redeploy. – Beutler 12/6, 2020 at 20:55

Can you run a profiler trace and show us the results of the exceptions tab? Go to Diagnose and Solve>Diagnostic Tools > .NET Profiler Trace and show us the results. Some times the CORS is caused due to invalid Date/Time values(I know this does not makes sense, but Ive seen it) – Crematorium 9/8, 2020 at 6:9

I don't think there is any extra setting to disable it explicitly from Azure App Service side. Microsoft itself recommend to use your CORS utilities instead of inbuilt one - Refer Here.

Note Provided by Doc -

Don't try to use App Service CORS and your own CORS code together. When used together, App Service CORS takes precedence and your own CORS code has no effect.

Eclogite answered 4/3, 2021 at 5:53 Comment(0)

Try to check the deployed appsettings.json in the associated appservice using Kudu or command line. Might be the appsettings isn't being applied.

Associated App Service > Under the Development Tools > Advanced Tools (Kudu)

Associated App Service > Under the Development Tools > Console

Dovetailed answered 28/6, 2021 at 23:52 Comment(0)

Don't try to use App Service CORS and your own CORS code together. When used together, App Service CORS takes precedence and your own CORS code has no effect.

Please see below how to correctly configure CORS on ASP.Net core app:

https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-6.0

Or you can also specify and AllowAnyOrigin but, it's unsecure configuration and can result in cross-site request forgery.

EDIT

As long as I know there's not available functionality to "disable" CORS in Azure hosted app.

Heshvan answered 11/7, 2022 at 17:28 Comment(0)

-2

My azure site is programmed in vb.net, but ultimately I had to do this and then it worked:

Dim strMethod As String 

strMethod = Request.HttpMethod.ToUpper

If InStr(strMethod, "OPTIONS") Then

   Response.Flush()

End If

Vicariate answered 9/5, 2019 at 23:37 Comment(0)

Recommended topics

Hot tags