✅ CORS issue when making GET request to server running asp application.
Hi,
I have this api: https://wsapi.tyrells.net/api/categories
And this webapp: https://wordsearch.tyrells.net/
This is the CORS code in the api:
This is the error in the webapp console:
The server receives the request when fetching from the webapp.
Making a GET request works fine when opening https://wsapi.tyrells.net/api/categories in browser.
Have I done something blatantly incorrect? I have no idea where I've gone wrong.
Thanks
44 Replies
The webapp is hosted using cloudflare pages. I'm not sure if it makes a difference.
If i run the webapp from localhost I get the same error, but I expect that to happen because I havent included http://localhost:5173/ in the cors string array
is it the slash at the end of the url in the CORs string array
so a few things
one, I've never seen the CORS policy being constructed in
UseCors before. Usually, you set it with AddCors then activate the middleware with UseCors
and yes, the trailing slash should not be there. Not sure if its the issue here, but its not standardI'll redeploy without the trailing slashes first. then look into addcors docs.
this is more what I'd expect
Removing the trailing slashes didn't work.
I was using
in development so I just thought it would be the same.
I just opened your webapp and it seems fine to me?
im not getting any cors errors
click on single player, it makes the first fetch there
I did.
the request worked.
you can see the CORS header right there
are you able to select categories ?
yep
look. CORS headers.
🙂
ok so i just closed firefox and its all good now...
I will still go read the add cors docs and figure out your example
ah yeah fiddling with stuff like this might require restarting your browser
its probably no different when only using a single policy
it was just not something I've ever seen before
from that very page 🙂
Yeah I just double checked. honestly im not sure where I found the orignal code
doesnt matter
it works the same way as AddDefault when you only have one
and honestly, multiple cors policies is kinda rare
would that be for something like having a webapp frontend and a mobile frontend?
¯\_(ツ)_/¯
I've never come across it.
CORS is very easy to get around, its mostly a safety thing for the frontend to prevent lazy API theft
thanks again for saving my ass. I think you helped me in my last help thread as well.
I defnitely need to read up on it by the sounds of it. I've only have brief knowledge from a .net textbook.
its a browser thing
its actually the clients browser that checks for CORS and disallows the request
so if you tweak your browser to not care about CORS....
i know it stops requests from different orgins but I'm not certain on what actually counts as different origins
it literally looks at the url base path
there's probably more rules to it though?
no
not really
oh cool something straightforward for once
its just to prevent things like x-site scripting attacks
but ideally they are already stopped on the serverside
the idea is that its one of many layers in the http sphere to help stop XSS attacks. Lets say you make a webapp for a bank
actually idk where Im going with this analogy. ignore it.
its one of many layers, thats all you need to know 😄
I've heard of cross site scripting attacks. isn't it basically injecting malicous javascript
yeah, but how you do that can be in many different ways
I'm happy to figure it out on my own ive found this https://owasp.org/www-community/Types_of_Cross-Site_Scripting
imagine if I make a spoof webpage that sends actual real requests to your actual real bank API
but with data provided by my spoofy nasty page
so you think you are just paying your bills, but the webapp is issuing "transfer all the money to Pobiega" requests
this wouldnt be possible due to CORS
since the bank api probably checks that only their real domains can access it
ah okay that makes sense. so its mainly a browser side thing. like i just realised curl doesnt use cors. so the bank would use authorization aswell.
yeah ofc
and anyway the jokes on them, they can have my negative balance.
but authorization tokens and cookies can be stolen
so its one of many layers
but since its client enforced, its mostly there to save the not so tech-savvy people
and/or make life a tiny bit harder for malicious assholes
I've got lots to figure out by the sounds of it.
thank you again.
I'm going to go sort out some ui issues with the web app
!close
Closed!