Azure API Management CORS: Why do I get "Headers starting with 'Access-Control-' were removed..."

Asked 27/2, 2017 at 20:13 Answered 4/5, 2020 at 0:51

With a simple policy below:

<policies>
    <inbound>
        <cors>
            <allowed-origins>
                <origin>http://microfost.com/</origin>
            </allowed-origins>
            <allowed-methods preflight-result-max-age="300">
                <method>GET</method>
                <method>POST</method>
                <method>PATCH</method>
                <method>DELETE</method>
            </allowed-methods>
            <allowed-headers>
                <header>content-type</header>
                <header>accept</header>
                <header>Authorization</header>
            </allowed-headers>
        </cors>
    </inbound>
</policies>

HTTP request

OPTIONS https://XXXX.azure-api.net/demo/XXX/XXX/* HTTP/1.1
Host: XXXX.azure-api.net
Ocp-Apim-Trace: true
Ocp-Apim-Subscription-Key: <secret>
Origin: http://microfost.com
Access-Control-Request-Headers: Authorization
Access-Control-Request-Method: GET

Response content

Access-Control-Allow-Origin: http://microfost.com
Ocp-Apim-Trace-Location: <trace>
Date: Mon, 27 Feb 2017 20:09:14 GMT
Content-Length: 0

I get this message and expect Origin response header I do not receive anything for 2 out of 3 APIs (1 API is working with the same policy as expected).

**Inbound**
[...]
cors (0 ms)
"Cross domain request was well formed and was allowed to proceed. CORS related headers were added to the response."

**Backend**

No records.
Outbound

cors (0 ms)
{
    "message": "Headers starting with 'Access-Control-' were removed from the response. ",
    "headers": []
}
transfer-response (0 ms)
{
    "message": "Response headers have been sent to the caller."
}

This seems to me a nonsense behavior and might be a bug. Before submitting it I would like to ask you if there is any explanation? Why do I get this?

Headers starting with 'Access-Control-' were removed from the response.

Claw answered 27/2, 2017 at 20:13 Comment(4)

Is this the whole response that you're getting? You should be getting Access-Control-Allow-Headers, Access-Control-Allow-Origin, Access-Control-Max-Age, and Access-Control-Allow-Methods headers. But not just "Origin". CORS spec (w3.org/TR/cors) describes Origin as a request only header. – Dominion 28/2, 2017 at 1:58

Yes. This is the whole response I get. What I am missing is the headers you have mentioned. – Claw 28/2, 2017 at 6:13

Try to add the <base /> to your inbound policy, so higher level policy's will be called – Bobsled 28/2, 2017 at 9:40

Although calling higher level policies is a good practice but in this particular case I eliminated it on purpose but as you can see some mystical outbound policies are still applied. – Claw 28/2, 2017 at 16:26

There a two ways to do CORS in Azure API Management. Automatic - just drop and configure CORS policy in a desired scope and APIM will take care of responding on OPTIONS requests that match existing operations.

Or you can choose manual way - create a separate operation that responds to OPTIONS method and form response manually right in the policy, possibly using return-response policy.

The problem you're having is because you have both. They're basically in conflict. CORS policy identifies request as cross origin and schedules processing on after request is complete, but return-response policy on OPTIONS operation level breaks this processing pipeline and returns response immediately before CORS policy can take action.

Since you're using CORS policy you should remove OPTIONS operation from your API to make things work.

Dominion answered 1/3, 2017 at 1:37 Comment(1)

You are absolutely right, we tested and it worked. Although it is still disturbing that the 1st API that was created worked even with the extra OPTIONS policy. I would say that the documentation is not clear how to configure it (learn.microsoft.com/en-us/azure/api-management/…). Thanks for the answer! – Claw 1/3, 2017 at 9:16

I was having a similar issue. Adding <base /> fixed it for me.

<policies>
    <inbound>
        <base />
        <!-- your policy here -->
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

Peroxide answered 4/5, 2020 at 0:51 Comment(0)

Add in your tag cors the atrrib allow-credentials="true".

See: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/api-management/api-management-cross-domain-policies.md

Mather answered 13/3, 2018 at 16:56 Comment(0)

Recommended topics

Hot tags