You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
rbanks54 opened this issue
Oct 19, 2018
· 3 comments
Assignees
Labels
area-mvcIncludes: MVC, Actions and Controllers, Localization, CORS, most templatesbugThis issue describes a behavior which is not expected - a bug.DoneThis issue has been fixed
The AllowAnyHeader() behaviour for seems to have changed between 2.0 and 2.2-preview3 and this causes problems with Firefox.
Previously preflight requests would return an Access-Control-Allow-Header containing the headers in the client request. This seems to have changed so that the server now returns a wildcard ('*') response.
Unfortunately the wildcard response appears to causes issue with Firefox. Chrome and Edge work correctly, however.
Thanks for the bug report! Seems like an issue with Firefox. We changed the code to reflect the Access-Control-Request-Headers and Access-Control-Request-Method when the policy supports wildcard. We were already doing this when the policy was configured to support credentials. We'll continue to respond with * in the Access-Control-Allow-Origin header if the policy is configured to support all origins and supports credentials. This is a mitigation for #3106.
dotnet
locked as resolved and limited conversation to collaborators
Dec 3, 2019
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
area-mvcIncludes: MVC, Actions and Controllers, Localization, CORS, most templatesbugThis issue describes a behavior which is not expected - a bug.DoneThis issue has been fixed
Describe the bug
The AllowAnyHeader() behaviour for seems to have changed between 2.0 and 2.2-preview3 and this causes problems with Firefox.
Previously preflight requests would return an Access-Control-Allow-Header containing the headers in the client request. This seems to have changed so that the server now returns a wildcard ('*') response.
Unfortunately the wildcard response appears to causes issue with Firefox. Chrome and Edge work correctly, however.
To Reproduce
Originally reported at: IdentityServer/IdentityServer4#2731.
You'll find more details there, including some repro steps.
Expected behavior
Return to previous behaviour, rather returning the wildcard response
The text was updated successfully, but these errors were encountered: