ProxyFeature with CorsFeature

paul1 · May 31, 2024, 9:47am

Hi,

I just downloaded the C# ServiceStack template:

and added a CorsFeature and ProxyFeature to AppHost

    public override void Configure()
    {
        SetConfig(new HostConfig());

        Plugins.Add(new CorsFeature(
            allowOriginWhitelist: new[] { "*" },
            allowCredentials: true,
            allowedHeaders: "Content-Type, Allow, Authorization",
            allowedMethods: "GET, POST, PUT, DELETE, OPTIONS"
        ));

        Plugins.Add(new ProxyFeature(
            matchingRequests: req => req.PathInfo.StartsWith("/example/"),
            resolveUrl: req => "https://api.example.com" + req.PathInfo.Replace("/example/", "/")));
    }

And then I test it from another domain (https://localhost:7575):

    this.http.get<any>('http://localhost:5001/example/v2/images/search', {}).subscribe({
      next: (data: any) => { console.log(data); },
      error: (e) => { console.log(e); }
    });

And I get a CORS error:
Access to XMLHttpRequest at ‘http://localhost:5001/example/v2/images/search’ from origin ‘https://localhost:7575’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Why do I get this error?
I expect the CorsFeature to make sure this doesn’t happen.

I also tried setting the Access-Control-Allow- headers with GlobalResponseFilters but that didn’t help.

mythz · May 31, 2024, 9:57am

These features are not related. The Proxy feature just proxies the the request to the downstream resource and returns the response and headers of the downstream request.

For CORS you’d typically want to specifically list which cross domain sites are allowed, e.g:

Plugins.Add(new CorsFeature(
    allowOriginWhitelist:  new[] { "https://localhost:7575" },
    allowCredentials: true,
    allowedHeaders: "Content-Type, Allow, Authorization",
    allowedMethods: "GET, POST, PUT, DELETE, OPTIONS"
));