We use ASP.NET Core and cross-origin requests from other sites (on different domains). So before any real request from site to our API, browser make a preflight request.
The problem is:
- Browser call all our API methods twice which broke our data
- The real and preflight requests are the same including method
If we catch a preflight request in browser it will be OPTIONS (not a POST) and include some specific CORS headers. But when it comes to the controller it became the same (we check it via logs inside controller):
- Real and preflight requests are POST
- Real and preflight requests have the same headers (Content-Type, Accept, Accept-Encoding, Accept-Language, Host, Referer, User-Agent, Origin, Content-Length, X-Request-ID, X-Real-IP, X-Original-Proto, X-Forwarded-Port, X-Original-Host, X-Forwarded-Scheme, X-Scheme, X-Original-For)
So we don't have any options to separate preflight and real request - and deal with preflight the difference way.
Our CORS settings:
services.AddCors(cors =>
{
cors.AddPolicy("bundle_cors", builder =>
{
builder
.AllowAnyHeader()
.AllowAnyMethod()
.WithExposedHeaders("set-cookie")
.AllowCredentials()
.SetIsOriginAllowed(_ => true);
});
});
Are there any ways to solve the problem?