Overview:
- I have performed 2 experiments to understand the implementation of asp.net core libraries with regard to the CORS specification
- The experiment 1 shows an web page (html) is not able to make an AJAX request to another end point (asp.net core).
- The experiment 2 shows that after allowing CORS in the asp.net core application the web page is able to successfully make the the AJAX request.
- The question for me is "Why is a simple GET call with no cookies or auth token affected by CORS middleware"
- The other question is "How can a GET call be blocked by CORS without making a preflight OPTIONS call"
Experiment 1:
- Create a simple asp.net core api application with one end point https://localhost:5001/hello
- Create a html page, that hits the end point on load
- Run the asp.net core application
- Open the html page in a browser and observer the console
Observation 1:
- The empty html page loads
- There is an error in the console saying "Failed to load resource: net::ERR_CONNECTION_REFUSED"
- While checking the network tab of the browser, the GET call has failed.
- There has been no OPTIONS call
Experiment 2:
- Modify the asp.net core application to add a any origin cors policy
- Use the cors policy
- Run the asp.net core application
- Open the html page in a browser and observer the console
Observation 2:
- The empty html page loads
- There is NO error in the console saying "Failed to load resource: net::ERR_CONNECTION_REFUSED". The page is successfully able to access the resource from asp.net core application
- While checking the network tab of the browser, the GET call has succeeded.
- There has been no OPTIONS call
Doubt
- Why is adding CORS affecting this behavior. As per the CORS specification, simple get is not affected by CORS.
- Even if CORS is supposed to affect this. The behavior is not as per the CORS specification. There has been no OPTIONS call. The call that's failing is GET
asp.net core code
HelloController.cs
[ApiController]
[Route("[controller]")]
public class HelloController : ControllerBase
{
[HttpGet]
public string Hello()
{
return "hello";
}
}
StartUp.cs
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
//********************************************
//Enabled for the second experiment
services.AddCors(c =>
{
c.AddPolicy("AllowOrigin", options => options.AllowAnyOrigin());
});
//********************************************
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
app.UseRouting();
//***************************************
//Enable for the second experiment
app.UseCors("AllowOrigin");
//****************************************
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
HTML Code page.html
<html>
<body onload="updateDB();">
</body>
<script language="javascript">
function updateDB() {
var xhr = new XMLHttpRequest();
xhr.open("GET", "https://localhost:5001/hello", true);
xhr.send(null);
}
</script>
</html>
Nachiappan Kumarappan
asked Sep 14, 2020 at 2:36
-
The question is not debugging question. I have already found a work around for the issue by adding a CORS policy in experiment 2. My question is more on why there is dependence between CORS, simple GET call, and asp.net core. Am I misunderstanding the CORS specification? or is asp.net core over implementing the CORS (less likely)Nachiappan Kumarappan– Nachiappan Kumarappan2020年09月14日 07:10:19 +00:00Commented Sep 14, 2020 at 7:10
-
@DocBrown, let me modify the question to bring out my intentNachiappan Kumarappan– Nachiappan Kumarappan2020年09月14日 07:16:33 +00:00Commented Sep 14, 2020 at 7:16
-
Ok, I agree, it is not a debugging question. Still not sure if placing it on SO would not increase the likelyness to find experts on this topic.Doc Brown– Doc Brown2020年09月14日 09:29:03 +00:00Commented Sep 14, 2020 at 9:29
-
The reason I added it here is I thought mostly my understanding of CORS is wrong. And the answer would move it that direction.... I would be happy to move SO if it would be have a better probability of finding solution... Let me know your opinionNachiappan Kumarappan– Nachiappan Kumarappan2020年09月14日 09:38:00 +00:00Commented Sep 14, 2020 at 9:38
-
Maybe you leave it here for a week, and if noone answers it, try your luck on SO.Doc Brown– Doc Brown2020年09月14日 14:33:31 +00:00Commented Sep 14, 2020 at 14:33
1 Answer 1
I believe you are simply misunderstanding the (insanely complex) cors documentation.
A GET request doesn't need a preflight request, but is still subject to CORs unless its mode is no-cors.
Your browser is unlikely to use the no-cors mode for any javascript methods
"XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers."
If you browse directly to the url it will work, if you use javascript running in a browser the browser will throw an error
answered Sep 14, 2020 at 20:25
-
Hey @Ewan, thanks for pointing it out. In fact, my understanding was limited to a part of the CORS standard earlier. From your response and bit of googling I found the link developer.mozilla.org/en-US/docs/Web/HTTP/CORS which helped me understand more about the standardNachiappan Kumarappan– Nachiappan Kumarappan2020年09月15日 03:05:49 +00:00Commented Sep 15, 2020 at 3:05
-
developer.mozilla.org/en-US/docs/Web/HTTP/CORS clearly tells simple requests are also governed by CORS, but this document doesn't say when the CORS requirements are not met for simple requests, how the server handles that. Is there anything you know about it, and could you point me to it, please?Nachiappan Kumarappan– Nachiappan Kumarappan2020年09月15日 03:07:55 +00:00Commented Sep 15, 2020 at 3:07
-
yeah the spec is a nightmare to read, its basically written like code, not for explanation. but comparing allowed origin with origin is the fail here. finding where it says that in the spec however....Ewan– Ewan2020年09月15日 08:15:54 +00:00Commented Sep 15, 2020 at 8:15