I have an ASP.NET Core 6.0 back-end with this CORS config:
app.UseCors(x => x
.SetIsOriginAllowed(origin => true)
.AllowAnyMethod()
.AllowAnyHeader());
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
Yet the endpoints with [Authorize] attribute throw CORS errors.
The public endpoints do not present any problem whatsoever.
Any ideas what could this be?
I already checked my endpoints with postman and they all work just fine, only my web app presents the error (as is natural because the browser enforces the same origin policy).
Both my Web API and my web app are on different domains (webapp.com and webapi.mx) but having my server allow all origins should bypass the same origin policy right? What am I missing about CORS?
Here are some screenshots of the request headers of a successful requests and a CORS error request.
Successful POST request.
CORS error GET request.
