Asp.net core proxy keeps throwing 403

[Corstiaan84]

I'm using AspNetCore.Proxy to proxy the call to a static resource to an external service. I do some preprocessing to verify the user and to construct the URL to the external service (which I want to keep hidden from the user).

In my Startup.Configure() I have this:

app.UseProxies(builder =>
            {
                builder.Map("attached_resource/{id}", proxy =>
                {
                    proxy.UseHttp((context, arguments) =>
                    {
                        var scope = context.RequestServices
                            .GetRequiredService<IServiceScopeFactory>().CreateScope();
                        using (scope)
                        {
                            var attachedResourceService = scope.ServiceProvider.GetService<AttachedResourceService>();
                            var providerContext = scope.ServiceProvider.GetService<ContentProviderContext>();
                            var resourceId = int.Parse(arguments["id"].ToString());
                            var sourceUrl = attachedResourceService.GetProviderResourceUrl(resourceId, providerContext.User.Id);
                            context.Request.Method = "POST";
                            context.Request.Headers.Add("auth", providerContext.User.Token);
                            return sourceUrl.Url;              
                        }
                    });
                });
            });

The weird thing is; this works, but only when calling from Postman, directly from the address bar in the browser, or from a static HTML page. BUT... it returns a 403 every time I make the resource request from within my own app, from like a view or template.

So when I add an img tag to a static local plain HTML page it works:

<img src="https://localhost:5001/attached_resource/104" />

When I put the EXACT same img tag in a .cshtml view or layout, the chrome console (and the asp.net core app terminal) shows returning 403.

Using asp.net core 3.1 with a few server-side rendered Blazor components. So a plain MVC app, not an all-out Blazor app.

I must be missing something very obvious. Any ideas? Thanks for thinking along with me.

[twitchax]

Interesting. I find that really weird.

Can you debug the endpoint in the proxy you see what the http request payload looks like and paste it here in both the failure case and the success case?

[Corstiaan84]

Figured it out. Ran a diff against the two types of requests, comparing each header presence and value. When making the request from within the context of the asp.net core app the "Referer" header got set. In any of the other scenarios, it was empty. After setting it to an empty string it worked.

[twitchax]

Hmmm, that shouldn’t break it, though...

[twitchax]

@Corstiaan84, I cannot seem to repro this. Can you tell me what was in the Referer header so that I can try to reproduce?

[twitchax]

@Corstiaan84 closing this. Please reopen if you can provide a repro or test PR. 😄