Home > Mobile >  HTTP PUT, DELETE methods returning 405 when CORS is enabled in .NET 6
HTTP PUT, DELETE methods returning 405 when CORS is enabled in .NET 6

Time:11-30

I'm having an issue with CORS in a .NET 6 Web API project. Development started in .NET 5, but was upgraded to .NET 6 later.

CORS was originally enabled using a named policy with AllowAnyHeaders() and AllowAnyMethods() as was explained in this Microsoft Docs article and this article on CodeMaze.

It worked perfectly fine on my local machine during development. However, when it was deployed to the testing server, only GET and POST works. PUT and DELETE do not work.

The PUT and DELETE requests in Postman for any PUT or DELETE method in any endpoint for any controller shows a 405 Method Not Allowed response. The Header's Allow field shows GET, HEAD, OPTIONS, TRACE.

However, changing PUT to OPTIONS still gives a 405 response, but the Allow field has DELETE, GET, PUT.

The Blazor WASM client shows the following in the console when attempting to edit or delete:

Access to fetch at 'http://ip-address:port/api/v1/EndpointName/92b956cd-2290-4270-8df5-056355cab846' from origin 'http://servername:port' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Since then I have read the MDN article explaining CORS and tried numerous solutions from various articles and Stack Overflow posts.

Origins work with .AllowAnyOrigins(), .WithOrigins("*"), and .WithOrigins(list hosts and ports).

Headers work with .AllowAnyHeader() and .WithHeaders("*"). Even after removing .WithExposedHeaders("X-Pagination") this header still shows and still works.

.AllowAnyMethod(), .WithMethods("PUT", "DELETE"), .WithMethods("*") all yield the same result described above.

The current code in the Startup.cs file is shown below:

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
        options.AddDefaultPolicy(
            policy =>
            {
                policy.WithOrigins(Configuration["AllowedCORS"]);
                policy.AllowAnyMethod();
                policy.AllowAnyHeader();
                policy.WithExposedHeaders("X-Pagination");
                //policy.WithHeaders("*");
                //policy.WithMethods("PUT", "DELETE");
                //policy.WithMethods("*");
            }));

    services.AddControllers();

    ...
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    ...

    app.UseHttpsRedirection();

    app.UseRouting();

    app.UseCors();

    app.UseAuthorization();

    ...
}

Your assistance in resolving this issue is greatly appreciated.

CodePudding user response:

According to my experience when the iis server does not allow delete and put while not having the same problem in dev machine, the problem is not related to CORS config and you should check two point to find the problem:

First ExtensionlessUrlHandler-Integrated-4.0 : Go to Handler Mappings in your IIS Manager. Find ExtensionlessUrlHandler-Integrated-4.0, double click it. Click Request Restrictions... button and on Verbs tab, add both DELETE and PUT

Second WebDAVModule Should also allow the verbs: Check here

Page link:https//www.codepudding.com/Mobile/626328.html

Prev:Global using directive in c#
Next:C# - Can I select the value of an XML attribute by searching for a second attribute?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding