In ASP.NET, Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header

response to preflight request doesn't pass access control check: it does not have http ok status.
no 'access-control-allow-origin' header is present on the requested resource
angular 8 preflight request
asp.net core cors not working
enablecorsattribute
enable cors in asp.net mvc
handle preflight request web api
angular asp net web api cors

I am using a Web Core API and have set up CORS as follows;

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddCors();
        ...
    }

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
        {
var url = Configuration["origenUrl"];
            var header = "Content-Type";
            app.UseCors(
                options => options.WithOrigins(url).WithHeaders(header).AllowAnyMethod().AllowCredentials()
            );
        }

This setup works fine for Get Requests. But for my Put request;

   $.ajax({
        url: url,
        method: "PUT",
        xhrFields: { withCredentials: true }
    })
        .done(callback)
        //.fail(errorMessage);
        .fail(function (jqXHR, textStatus, errorThrown) {
            alert("Something went wrong: " + textStatus + " " + errorThrown);
            errorCallback();
        });

I get this error message;

XMLHttpRequest cannot load http://localhost:17972/api/fault/1/close.

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:12528' is therefore not allowed access. The response had HTTP status code 401.

From Fiddler my http request is;

OPTIONS http://localhost:17972/api/fault/10/close HTTP/1.1

Accept: /

Origin: http://localhost:12528

Access-Control-Request-Method: PUT

Access-Control-Request-Headers: accept

UA-CPU: AMD64

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64;Trident/7.0; rv:11.0) like Gecko

Host: localhost:17972

Content-Length: 0

DNT: 1

Connection: Keep-Alive

Pragma: no-cache

So how do I fix this?

EDIT I have also tried this code just to get it working, but I get the same error;

 public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
        {
            //var url = Configuration["originUrl"];
            //app.UseCors(
            //    options => options.WithOrigins(url).AllowAnyHeader().AllowAnyMethod().AllowCredentials()
            //);
            app.UseCors(
                options => options.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod().AllowCredentials()
            );
            app.UseMvc();
}

Try with AllowAnyHeader instead of WithHeaders, it must works. The problem is that you are requiring a "Content-Type" header, but isn't being sent. If you wants to keep the WithHeaders check, add "Access-Control-Request-Method".

More info: https://docs.microsoft.com/en-us/aspnet/core/security/cors

Response to preflight request doesn't pass , For some CORS requests, the browser sends an additional request, called a “ preflight request”, before it sends the actual request for the resource� If the preflight request is denied, the app returns a 200 OK response but doesn't set the CORS headers. Therefore, the browser doesn't attempt the cross-origin request. For an example of a denied preflight request, see the Test CORS section of this document.

I know this is a bit old, but I just ran into the same problem and was able to work out the issue. I was following a Microsoft guide on how to enable CORS globally. I set the following code within the Startup.cs file...

services.AddCors(options =>
{
    options.AddPolicy(MyAllowSpecificOrigins,
        builder =>
        {
            builder.WithOrigins("http://localhost");
        });
});

The guide did have an example of using a localhost, however it was at the very end within the "Test CORS" section. There, they show that you have to have the port number as well. I changed my code to:

services.AddCors(options =>
{
    options.AddPolicy(MyAllowSpecificOrigins,
        builder =>
        {
            builder.WithOrigins("http://localhost:3000")
                .AllowAnyHeader();
        });
});

I also added the AllowAnyHeader (as mentioned above) and everything works great! HTH

Response to preflight request doesn't pass access control, Dear All, I have created small project using Angular 6 and ASP .Net MVC 5. I have uploaded my those project with help of member of this forum. Access-Control-Allow-Origin Header and the ASP.NET Web API Here's a look at a solution to an Access-Control-Allow-Origin Header error, with background info, how to use the code, and more. by

I was having a similar problem where GET requests would work fine, but POST requests would give me the same angry message as OP got. The code below worked for me, the other answers weren't quite complete in my case:

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
    {
       options.AddDefaultPolicy(
           builder =>
           {
                      builder.WithOrigins("http://localhost:1337").AllowAnyHeader().AllowAnyMethod();
            });
        });

            services.AddControllers();
            services.AddRazorPages();
        }}

CORS, Describe the bug The application has been working flawlessly in .net core 2.1. The signalR server's configuration looks like the following code� The pre-flight request uses the HTTP OPTIONS method. It includes two special headers: Access-Control-Request-Method: The HTTP method that will be used for the actual request. Access-Control-Request-Headers: A list of request headers that the application set on the actual request. (Again, this does not include headers that the browser sets.)

Response to Preflight Request Doesn't Pass Access , Fix To Response to preflight request doesn't pass access control check: Make sure the Online at the left pane is selected and one can see Microsoft ASP.NET Web API 2.2 Cross-Origin Support and install that if not installed. I have the same problem with asp.net core 3.1 and angular 9. The solution you have illustrated, in my case, does not work. Response to preflight request doesn't

Enable Cross-Origin Requests (CORS) in ASP.NET Core, The app returns a 200 OK response but doesn't send the CORS headers back. Therefore, the browser doesn't attempt the cross-origin request. Configured the API on the server IIS, so going to see Response Header settings in IIS. Go to the command window and type inetmgr and click OK, your IIS will open shortly, now find your Web API which you have already configured under Default Web Site.

CORS: Response to preflight request doesn't pass access control , When working with Angular and ASP.NET Core, you might get following error. Failed to load resource: net::ERR_FAILED [http://serviceuri/api/.] A complete nightmare. The equivalent project in ASP.NET Core 2.1 works perfect. In 2.2: _Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

Comments
  • Did you add the content-type?
  • I put "Content-Type" in the header variable which is then included in the WithHeaders method as you can see in the code. I have since tried "AnyHeader()" with the same result.
  • Sorry, I didn't explain so fin, I was speaking about the request. Do you have a raw HTTP request?
  • From Fiddler: OPTIONS localhost:17972/api/fault/10/close HTTP/1.1 Accept: / Origin: localhost:12528 Access-Control-Request-Method: PUT Access-Control-Request-Headers: accept UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: localhost:17972 Content-Length: 0 DNT: 1 Connection: Keep-Alive Pragma: no-cache
  • I tried that but to no avail. I have been looking at the link - which is a good one - for some time trying to work out what I can do.
  • You can also avoid libraries and add a cors rule in the web.config here: enable-cors.org/server.html
  • To try and get it working I am now using AllowAnyOrigin() but this does not solve the problem
  • Still the same problem? can you update your question with the new code?