SignalR Core 2.2 CORS AllowAnyOrigin() breaking change

Asked 14/12, 2018 at 21:16 Answered 11/11, 2019 at 9:26

Solved c#asp.net-core asp.net-core-signalr asp.net-core-2.2

To connect via SignalR to an ASP.NET Core 2.1 server from any origin, we had to configure the pipeline as follows:

app.UseCors (
  builder => builder
   .AllowAnyHeader ()
   .AllowAnyMethod ()
   .AllowAnyOrigin ()
   .AllowCredentials ()
)

According to this document, ASP.NET Core 2.2 no longer allows the combination of AllowAnyOrigin and AllowCredentials, so what would be the solution? Whereas the SignalR Core always sends withCredentials:true in the XMLHtppRequest.

What I need is that from any origin and without credentials, our users can connect to the SignalR Hub.

Sawicki answered 14/12, 2018 at 21:16 Comment(2)

The link you site seems to have steps to get around this. Are those steps not working for you? – Aberration 14/12, 2018 at 22:9

From the doc: "Modify the CORS policy to no longer allow credentials. That is, remove the call to AllowCredentials when configuring the policy". Signalr doesn't have the option to disable withcredentials property, so, no the link does not help. Why the down vote? – Sawicki 15/12, 2018 at 8:15

There is a workaround, change AllowAnyOrigin to SetIsOriginAllowed:

app.UseCors(builder => builder
                .AllowAnyHeader()
                .AllowAnyMethod()
                .SetIsOriginAllowed(_ => true)
                .AllowCredentials()
            );

Sawicki answered 15/12, 2018 at 8:39 Comment(3)

man thank you, this was an intelligent question with an intelligent answer. – Mope 16/10, 2019 at 18:35

Allowing arbitrary origins with credentials is very insecure, hence my downvote. The number of upvotes boggles the mind... – Oriel 22/10, 2021 at 17:8

Great for development purposes. – Diaper 26/5, 2022 at 12:5

I have found a solution. You can try the following code part:

.SetIsOriginAllowed (_ => true)

This worked for me.

Malvinamalvino answered 11/11, 2019 at 9:26 Comment(0)

You can use the "WithOrigins" method passing the origins, maybe read by configuration.

app.UseCors(builder => builder
            .AllowAnyHeader()
            .AllowAnyMethod()
            .WithOrigins(new string[] { "www.example1.com", "www.example2.com" })
            .AllowCredentials()
        );

If the only string passed is " * " you still have problems with signalR. If you pass many strings and one of them is " * ", it works.

Hack answered 28/2, 2019 at 13:49 Comment(2)

A working solution was already posted by Alexandre. The author asked 'What I need is that from any origin and without credentials', so your answer is not correct. I think your intension is to tell the people that there is another way with declaring specific origins, but you should post something like that as comment. – Arron 1/3, 2019 at 6:7

@Arron the question from op is not exactly clear...since he says that SignalR sends always credentials and then that he doesn't want credentials.....so this sounds like another way to solve the problem – Homicidal 31/3, 2020 at 0:39

Recommended topics

Hot tags