Geek Answers Handbook

Enable the Access-Control-Allow-Credentials header on the Azure website (Azure App Services)

We recently migrated the API application from Azure Cloud Services to Azure Websites, and some customers still use our legacy authentication protocol, which uses cookies (instead of the usual Authorization: Bearer HTTP header). We need to support this authentication protocol a little more, as clients will not be able to migrate immediately.

To support cookies in a cross-origin ajax request directed to the API, the client must set the withCredentials parameter to true in XMLHttpRequest, and the server must also respond with the Access-Control-Allow-Credentials header to any CORS request.

The problem we are facing is that the Azure Website independently manages CORS and uses its own configuration (which is limited to the list of allowed sources) to respond, which does not allow setting this header ... thereby violating the application for all our Ajax clients!

Is there a way (temporarily) to add this header to the responses?

+6
source share
2 answers

Finally, we were able to understand the behavior of the Azure Apps CORS middleware. To disable it, you need to clear every legal record of origin in the CORS blade of your web application (including * ). You can then manage CORS yourself using the Web Api 2 functionality or using web.config.

Information is available even in the documentation :

Do not attempt to use both CORS and App CORS APIs in the same API application. The CORS application service will take precedence, and the CORS web API will have no effect. For example, if you enable one domain domain in the application service and include all the source domains in the web API code, your Azure API application will only accept calls from the domain that you specified in Azure.

So, the final answer is: if your application does not require very specific CORS management, you can use the Azure App Service CORS. Otherwise, you will have to deal with it yourself and disable the entire CORS configuration in the web application.

+11
source

This is what you can do in the web.config file available in your web application.

You can edit it using Visual Studio Online (Monaco), which is the tool you add from the Azure portal.

More details here: http://enable-cors.org/server_iis7.html

+1
source

More articles:


All Articles