[Solved] The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time

This issue occurred when I was trying to enable cors in my ASP.NET Core web application so that its API can be accessed with a different host.

Error Details:

The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time. Configure the CORS policy by listing individual origins if credentials needs to be supported.

System.InvalidOperationException: ‘The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time. Configure the CORS policy by listing individual origins if credentials needs to be supported.’

System.InvalidOperationException
HResult=0x80131509
Message=The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time. Configure the CORS policy by listing individual origins if credentials needs to be supported.
Source=Microsoft.AspNetCore.Cors
StackTrace:
at Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder.Build()
at Microsoft.AspNetCore.Cors.Infrastructure.CorsOptions.AddPolicy(String name, Action1 configurePolicy) at Microsoft.AspNetCore.Cors.Infrastructure.CorsOptions.AddDefaultPolicy(Action1 configurePolicy)
at IQ.WebApi.Startup.<>c.b__4_1(CorsOptions options) in H:\Apps\Web Apps\Interview Question Projects\Project\Code\IQ.WebApi\Startup.cs:line 39
at Microsoft.Extensions.Options.ConfigureNamedOptions1.Configure(String name, TOptions options) at Microsoft.Extensions.Options.OptionsFactory1.Create(String name)
at Microsoft.Extensions.Options.OptionsManager1.<>c__DisplayClass5_0.<Get>b__0() at System.Lazy1.ViaFactory(LazyThreadSafetyMode mode)

Problem

Issue screenshot

If you see the error details, it clearly says that The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time. Configure the CORS policy by listing individual origins if credentials need to be supported. It means we can not use both wild card CORS configuration and Credentials configurations, because a different host should have different credentials and we can not have the same credentials for all the hosts due to security reasons. So this configuration is restricted at the compile time with a compile error.

Allow Credentials option with CORS wildcard

Solution

The solution is simple in this case, we have to either remove AllowCredentails configuration or if we are supposed to allow credentials then we should specify the host instead of the wild card CORS configuration.

As my requirement was to allow all hosts to access my API, I removed AllowCredentails configuration from the CORS configuration.

CORS configuration after removing AllowCredentails option

Summary

Whenever we configure CORS in ASP.NET Core web applications or API’s we have to be clear about what kind of options we are keeping. Because in this case, we misconfigured that we want both wild card option as well as credentials for CORS verification.

Default image
Sreenivasa Rangan TR

Software professional with 7+ years of experience in all phases of software development with robust problem-solving skills and proven experience in creating and designing software in a test-driven environment.

Leave a Reply