SignalR Core 2.2 CORS AllowAnyOrigin() breaking change

setisoriginallowedtoallowwildcardsubdomains
signalr cors
.net core 2.2 cors not working
asp net core cors options 401
asp.net core 3.0 cors
asp net core cors options 404
signalr no 'access-control-allow-origin' header is present on the requested resource
.net core 2.2 signalr

To connect via SignalR to an ASP.NET Core 2.1 server from any origin, we had to configure the pipeline as follows:

app.UseCors (
  builder => builder
   .AllowAnyHeader ()
   .AllowAnyMethod ()
   .AllowAnyOrigin ()
   .AllowCredentials ()
)

According to this document, ASP.NET Core 2.2 no longer allows the combination of AllowAnyOrigin and AllowCredentials, so what would be the solution? Whereas the SignalR Core always sends withCredentials:true in the XMLHtppRequest.

What I need is that from any origin and without credentials, our users can connect to the SignalR Hub.

There is a workaround, change AllowAnyOrigin to SetIsOriginAllowed:

app.UseCors(builder => builder
                .AllowAnyHeader()
                .AllowAnyMethod()
                .SetIsOriginAllowed(_ => true)
                .AllowCredentials()
            );

Breaking change in AspNetCore 2.2 for SignalR and CORS , I've recently prepared an ASP.NET Core application, with no problems combining AllowAnyOrigin() and AllowCredentials() – although is was not an SignalR app,  Breaking change in AspNetCore 2.2 for SignalR and CORS. December 6, 2018 - John Waters. 7 Comments. To get authenticated SignalR hubs to work, you need to allow credentials in CORS, so your aspnetcore code might look like this: services.AddCors (action => action.AddPolicy (policyName, builder => builder .AllowAnyMethod () .AllowAnyHeader () .AllowAnyOrigin () .AllowCredentials ()));

You can use the "WithOrigins" method passing the origins, maybe read by configuration.

app.UseCors(builder => builder
            .AllowAnyHeader()
            .AllowAnyMethod()
            .WithOrigins(new string[] { "www.example1.com", "www.example2.com" })
            .AllowCredentials()
        );

If the only string passed is " * " you still have problems with signalR. If you pass many strings and one of them is " * ", it works.

donetcore 2.2 broke signalr · Issue #4483 · dotnet/aspnetcore · GitHub, Still using SignalR 1.0.4 on server, client is angular, and doesn't AllowAnyOrigin() + . .com/breaking-change-in-aspnetcore-2-2-for-signalr-and-​cors/ .net core 2.2 Downward compatibility problem(about cross domain) #  AllowCredentials ())); In ASP.NET Core 2.2 it is no longer allowed to combine AllowAnyOrigin and AllowCredentials. When you try to use the two together, you‘ll see the following warning in the output window: The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time.

I have found a solution. You can try the following code part:

.SetIsOriginAllowed (_ => true)

This worked for me.

SignalR Breaking changes, NET Core 2.2 - SignalR Breaking changes SignalR hubs. In our code we were rather lazy and had allowed CORS for everything: AllowAnyMethod() NET Core 2.2 it is no longer allowed to combine AllowAnyOrigin and  This is a blocker for upgrading to 2.2! This is also a very sneaky change that was hit when upgrading to 2.2. Please advise on work around as we do not know all of the origins that will be connecting to the SignalR hub. I also cannot specify all origins as these may come from an app with an unknown IP address. This functionality did work prior

Allowing any origin with CORS, core. In the Global.asax there are lines to dynamically allow any origin since we have cross origin [HttpGet] public ActionResult<string> Get() { HttpResponse NET Core 2.2 there are breaking changes for CORS. https://​trailheadtechnology.com/breaking-change-in-aspnetcore-2-2-for-signalr-and-​cors/. This issue occurs in the 2.1 release and numerous customers are hitting it. I think we should up the priority of this. Also, we should document that the Azure App Service CORS settings are not compatible with SignalR, and you should only use the ASP.NET Core CORS functionality.

Security considerations in ASP.NET Core SignalR, NET Core 2.2 to . The code before any changes can be found in this GitHub repo. NET Core 3.0 by installing at least Visual Studio 16.3. Build().Run();. } public static IHostBuilder CreateHostBuilder(string[] args) The UseCors may or may not apply but the addition of UserRouting AllowAnyOrigin();. }. Stack Overflow Public questions In current 2.1 version of ASP.NET Core SignalR we still don't see this API implemented. SignalR Core 2.2 CORS AllowAnyOrigin

Migration from ASP.NET Core 2.2 to 3.0 – Eric L. Anderson, Cors.Core.EnableCorsAttribute. // // Parameters: // policyName: // The name of the policy Specifically in dotnet core 2.2 with SignalR you must change AllowAnyOrigin() with . .com/breaking-change-in-aspnetcore-2-2-for-signalr-​and-cors/. I'm migrating our SignalR-Service to the new AspNetCore.SignalR (2.1 preview) and now I get problems with CORS. I will never access the service from the same origin, so I need to disable CORS in ge

Comments
  • The link you site seems to have steps to get around this. Are those steps not working for you?
  • From the doc: "Modify the CORS policy to no longer allow credentials. That is, remove the call to AllowCredentials when configuring the policy". Signalr doesn't have the option to disable withcredentials property, so, no the link does not help. Why the down vote?
  • man thank you, this was an intelligent question with an intelligent answer.
  • A working solution was already posted by Alexandre. The author asked 'What I need is that from any origin and without credentials', so your answer is not correct. I think your intension is to tell the people that there is another way with declaring specific origins, but you should post something like that as comment.
  • @NePheus the question from op is not exactly clear...since he says that SignalR sends always credentials and then that he doesn't want credentials.....so this sounds like another way to solve the problem