Having an issue with Azure storage CDN. We have it configured for CORS, basically we allow all headers and origins (*), and GET|HEAD|
OPTIONS. Everything works fine when we are using the storage direct host. When we switch it over to use the CDN host,the OPTIONS request stops returning any of the allow headers and causes cross origin failures. On other gets I do get the allow origin header but nothing else. Anyone seen this or am I overlooking a config option somewhere? Happens locally talking to Azure and on our Azure hosted site.
Azure CDN profiles from Akamai currently do not tunnel OPTIONS requests. There is a patch currently underway to enable OPTIONS requests for cors pre-flight.
If you don't use pre-flight requests, does CORS work?
Related
We are trying to get Azure app proxy to work and are running into CORS issues. We are using custom domains with split brain deployment.
I have read through: Azure Application Proxy CORs
and am currently on step 4 to just rewrite cors to work with out the wildcard below
var cors = new EnableCorsAttribute("*", "*", "*");
config.EnableCors(cors);
Our web application has a frontend server hosted on IIS: https://frontend.company.com with the internal and external urls mapped to be the same urls as behind our company firewall.
We also have a backend server located on premises hosted on IIS and located at https://backend.company.com
We have set up two applications in app proxy to point to the respective servers where the internal and external match the urls we are using internally to the company.
I have tried var cors = new EnableCorsAttribute("https://backend.company.com", "*", "*")
and still get the cors issue. One thing I noticed is We are not getting the Response headers when going through Azure Proxy. Here is a picture of what it looks like internally and you can see access-control-allow-origin is set to *
The end goal is to be able to access this application externally. I can get the frontend to pull up html fine, and I can go directly to the swagger pages on the backend side just fine, but the two cannot communicate cross origin.
Below is what we see when accessing externally through app proxy:
We have tried to set web.config values, and remove values with pretty much every stack overflow article we can find.
Question is Does Azure or Azure App Proxy have any settings around allowing Access-Control-Allow-Origin settings to flow through? I dont have access to App Proxy, and am having to work with our cloud team to try different things. We have tried every combination of the Translate URLS mentioned here https://stackoverflow.com/a/60560675/1879992
Below is what we see externally and has the request headers missing
We have also read the official document and whitelisted our urls with the same response.
If I disable the chrome setting related to CORs the app comes up fine.
I am using Azure CDN (Ex: https://example-cdn.azureedge.com) to deliver static website from backend-endpoint which is Blob storage. Everything works fine except that Http request for static file(Ex: translation files stored on assets folder location /assets/i18n/en.json) from Angular application (Ex: https://example.com) are failed. As per the document, CORS is automatically set to *.
What I observed is that Angular application while making http request using HttpClient does a preflight request before making actual GET request. Azure CDN seems to be not supporting preflight OPTIONS request. Browser request fails with an error message Response for preflight does not have HTTP ok status.
Here is the snapshot of Rules set on Azure CDN
Question is, how to request files conditionally from Azure CDN using Angular application
If anyone facing the this issue, please make sure your original host is responding to these requests. In my case, Azure Storage Account was the original host. CDN started to respond after enabling CORS settings on Storage account.
CORS says that:
A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, and port) than its own origin.
That been said, look at this scenario. I have two apps deployed on the azure.
https://myApp.azurewebsites.net .NET FW app that has a Angular client.
https://myMicroservice.azurewebsites.net .NET CORE API.
Since both apps are in the same site (origin) azurewebsites does that mean that I don't need to configure CORS?
Note: I already have configured CORS on the .NET CORE app to allow the https://myApp.azurewebsites.net origin.
Here, the same origin means that xxx.azurewebsites.net should be the same one(as well as xxx).
So in your case, you need to enable CORS. Otherwise, the access is not allowed.
We're leveraging the hapi-swagger plugin to generate swagger documentation for endpoints we are proxying in Azure's API gateway service. We're exporting the swagger doc, and importing it into the Azure service.
All of our endpoints are set to cors: true, and because we are making cross origin requests, common browsers (e.g. Chrome) make a preflight OPTIONS request. Apparently Hapi automatically generates the OPTIONS endpoints for us (as in, we see the OPTIONS requests being made successfully in the browser), but it also seems that our exported swagger doc does not include these OPTIONS endpoints, and so none of the endpoints get proxied in the gateway service.
Is anyone aware of a way to export/expose these OPTIONS endpoints?
Additional information:
hapi: 16.6.2
hapi-swagger: 8.0.0
We "solved" this by turning on CORS support for each of our proxied endpoints in the Azure gateway which I guess automatically exposes OPTIONS endpoints (I wasn't doing the Azure work, so forgive my untechnical explanation; this article seems to corroborate my understanding, though it's about Azure storage services, not their api service..).
I believe in the last few days (around 4th Feb 2014), Microsoft announced CORS support for Azure Storage (link here) which is obviously a great idea.
In my case, I just wanted to find some confirmation of using a custom domain to map to azure storage which would solve an issue as follows:
Azure storage has a container with assets (images/docs etc)
I also have css/js assets there in azure storage too
Because at present the azure storage location is something like mystorage.blob.core.windows.net and my actual domain (where pages/services live) is say www.mydomain.com, I get CORS issues loading assets from a different domain of course.
So my question is if I do map a CNAME (for example assets.mydomain.com) to azure storage, will this solve the CORS related issues? Seems to me it should, however I wanted to check if others had a similar experience that they could comment on?
Thanks in advance.
You shouldn't get CORS issues loading assets, if they're just being loaded via link, script and img tags and the like. CORS only applies to AJAX requests made by JavaScript code in browsers.
Also, if the CORS rules are correctly configured on the Azure Storage account Blob service, the domain you use to address the account is irrelevant; it's the domain the current web page was served from (the Origin domain) that must be accepted by the CORS-enabled service.
So for example, if your page is served from yaysite.com, and you try to access a resource on yay.blob.core.windows.net using an XMLHttpRequest, the browser will add an Origin header to the request:
Origin: http://yaysite.com
The server at yay.blob.core.windows.net then needs to return an Access-Control-Allow-Origin header matching that to the response headers:
Access-Control-Allow-Origin: http://yaysite.com
If the browser doesn't see this header in the response, it will discard the data and the XMLHttpRequest object will trigger the error event.
Setting CORS rules on Azure Storage is described in this MSDN blog post.