search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.4k stars 10k forks source link

CORS setting in asp.net core 6.0 is not restricting the origins #42463

Closed nallu026 closed 2 years ago

nallu026 commented 2 years ago

Is there an existing issue for this?

Describe the bug

Hi There, I have created an ASP.NET Core 6.0 Web API and trying to set cors policy. I have applied policy only to allow few origins, but it is not working as expected instead it allows for all the sites which consumes this API. Can you please help me what I am missing? Here is my program.cs file.

var builder = WebApplication.CreateBuilder(args);

// Add services to the container. builder.Services.AddCors(options => { options.AddPolicy("myPolicy", policy => { policy.WithOrigins("http://example.com").AllowAnyHeader().AllowAnyMethod(); }); });

builder.Services.AddControllers();

// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle builder.Services.AddEndpointsApiExplorer(); builder.Services.AddSwaggerGen(); builder.Services.AddDbContext(options => options.UseSqlServer(builder.Configuration.GetConnectionString("defaultConnection")));

//builder.Services.AddCors(); var app = builder.Build();

// Configure the HTTP request pipeline. if (app.Environment.IsDevelopment()) { app.UseSwagger(); app.UseSwaggerUI(); }

app.UseHttpsRedirection(); app.UseRouting(); app.UseCors("myPolicy"); app.UseAuthorization();

app.MapControllers();

app.Run();

Expected Behavior

I was expected to allow access to the endpoints only for the requests from example.com, but it allows for all other sites too. You help is much appreciated.

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

No response

Anything else?

No response

rafikiassumani-msft commented 2 years ago

@nallu026 Is your app hosted behind a proxy with CORS configurations? Can you provide some network traffic for the endpoints that you believe aren't working? Do you have a separate front-end app (SPA) from your backend?

ghost commented 2 years ago

Hi @nallu026. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

brockallen commented 2 years ago

CORS doesn't restrict anything -- it relaxes the browser same-origin policy.

ghost commented 2 years ago

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate.

See our Issue Management Policies for more information.