A React app is calling my net6 API. Things have been working fine for months with no CORS problems.
Starting this week, I started seeing the React client unable to call the API consistently.
Things work fine other environments. But in a STG environment requests are blocked, but inconsistently. That is, some requests to a single controller get through while others do not. In addition, reloading the UI page results in a different set of endpoint calls that fail.
I have not been able to identify the cause. I don’t know if there is a change in React client code that could account for this. I haven’t found anything unusual about the server where the API is hosted in IIS. I am not aware of any new security in that environment. Any suggestions as to what could explain the inconsistent CORS errors?
I believe I have CORS access correctly enabled in the API (this has worked for 8 months in all environments with no CORS issues):
private readonly string _policyName = "CorsPolicy";
services.AddCors(opts => {
opts.AddPolicy(_policyName, builder => {
builder.AllowAnyOrigin().
AllowAnyMethod().
AllowAnyHeader();
});
});
app.UseRouting();
app.UseCors(_policyName);
The fact that some requests get through seems to indicate CORS is configured appropriately in the API app.
The inconsistency must be a clue as to what is going on and how to resolve it.
From the Chrome browser dev tools Console:
Access to XMLHttpRequest at 'https://some-domain.com/MyApp/SomeController/SomeEndpoint' from origin 'https://webapp-client.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
GET https://some-domain.com/MyApp/SomeController/SomeEndpoint net::ERR_FAILED 500 (Internal Server Error)
On calls that fail, the OPTIONS call returns:
500 Internal Server Error
On calls that succeed, the OPTIONS call returns as expected:
Access-Control-Allow-Headers: authorization
Access-Control-Allow-Methods: GET
Access-Control-Allow-Origin: *
Calling the same endpoint 20 seconds later, it may succeed, or it may fail. It is inconsistent.
Any suggestions on how to resolve this issue?
I have tried adding [EnableCors(“CorsPolicy”)] decorations to endpoint Action methods. No effect.
I have tried to identify why calls to some endpoints succeed while others fail. They are all implemented the same way.
I have asked the UI dev if there was a change from his end. No change he is aware of.
I asked the architect guy if there is a new security aspent in the affected environment. None he is aware of.
I have done many google searches similar to “Inconsistent CORS errors” but have not found anything that looks like my situation.
I would expect that a React client calls to an API endpoint would consistently fail or consistently succeed, all other things being unchanged. In the past, CORS errors I have seen are consistent and can usually be addressed by an appropriate change. At this point, I suspect a network security issue, but I have no way to verify that.
Any suggestions are appreciated.
user25671135 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.