Aspnetcore: CORS AllowAnyHeader issue with Firefox

Created on 20 Oct 2018  ·  3Comments  ·  Source: dotnet/aspnetcore

Describe the bug

The AllowAnyHeader() behaviour for seems to have changed between 2.0 and 2.2-preview3 and this causes problems with Firefox.
Previously preflight requests would return an Access-Control-Allow-Header containing the headers in the client request. This seems to have changed so that the server now returns a wildcard ('*') response.
Unfortunately the wildcard response appears to causes issue with Firefox. Chrome and Edge work correctly, however.

To Reproduce

Originally reported at: https://github.com/IdentityServer/IdentityServer4/issues/2731.
You'll find more details there, including some repro steps.

Expected behavior

Return to previous behaviour, rather returning the wildcard response

Done area-mvc bug
Source
picture rbanks54

All 3 comments

Probably related to https://github.com/aspnet/AspNetCore/issues/3106 ?

blowdart picture blowdart on 22 Oct 2018
👍1

Thanks for the bug report! Seems like an issue with Firefox. We changed the code to reflect the Access-Control-Request-Headers and Access-Control-Request-Method when the policy supports wildcard. We were already doing this when the policy was configured to support credentials. We'll continue to respond with * in the Access-Control-Allow-Origin header if the policy is configured to support all origins and supports credentials. This is a mitigation for #3106.

pranavkm picture pranavkm on 26 Oct 2018

Confirmed this works now using the latest nightly build (2.2.100-rtm-009571)

rbanks54 picture rbanks54 on 1 Nov 2018
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

KerolosMalak picture KerolosMalak  ·  269Comments
natemcmaster picture natemcmaster  ·  213Comments
davidfowl picture davidfowl  ·  126Comments
moodya picture moodya  ·  153Comments
barrytang picture barrytang  ·  89Comments