I need to set allowcredentials for a wildcard origin in .net core 3.0

Question

options.AddPolicy("AllowAll", 
                  builder => builder.WithOrigins("*")
                                    .AllowAnyHeader()
                                    .AllowAnyMethod()
                                    .AllowCredentials())

This code is showing a CORS error:

The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time. Configure the CORS policy by listing individual origins if credentials needs to be supported.

How can I solve this? How can I add a wildcard origin with AllowCredentials?

Answer 1

You couldn't do that

as mentioned in the document:

The CORS specification also states that setting origins to "*" (all origins) is invalid if the Access-Control-Allow-Credentials header is present.

and this part in the document:

When responding to a credentialed request:

The server must not specify the "*" wildcard for the Access-Control-Allow-Origin response-header value, but must instead specify an explicit origin;

for example: Access-Control-Allow-Origin: https://example.com

The server must not specify the "" wildcard for the Access-Control-Allow-Headers response-header value, but must instead specify an explicit list of header names; for example,Access-Control-Allow-Headers: X-PINGOTHER, Content-Type The server must not specify the "" wildcard for the Access-Control-Allow-Methods response-header value, but must instead specify an explicit list of method names;

for example, Access-Control-Allow-Methods: POST, GET

The server must not specify the "*" wildcard for the Access-Control-Expose-Headers response-header value, but must instead specify an explicit list of header names;

for example, Access-Control-Expose-Headers: Content-Encoding, Kuma-Revision

If you set with WithOrigins("*") it would add Access-Control-Allow-Origin:* to the response header