{
  "id": "dotnet/aspnet-core-cors-preflight-failure",
  "signature": "Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware: The CORS protocol does not allow a preflight request to have a body.",
  "signature_zh": "Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware: CORS 协议不允许预检请求包含请求体。",
  "regex": "Microsoft\\.AspNetCore\\.Cors\\.Infrastructure\\.CorsMiddleware: The CORS protocol does not allow a preflight request to have a body\\.",
  "domain": "dotnet",
  "category": "protocol_error",
  "subcategory": null,
  "root_cause": "ASP.NET Core CORS middleware rejects a preflight OPTIONS request because it contains a body, which violates the CORS specification.",
  "root_cause_type": "generic",
  "root_cause_zh": "ASP.NET Core CORS 中间件拒绝包含请求体的预检 OPTIONS 请求，因为违反了 CORS 规范。",
  "versions": [
    {
      "version": "3.1",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "5.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "6.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "7.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "8.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Modifying the CORS policy to allow all headers and methods without addressing the body issue",
      "why_fails": "CORS policy configuration does not affect the protocol-level restriction on preflight request bodies.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "Disabling CORS middleware entirely in development",
      "why_fails": "Disabling CORS removes cross-origin protection and may cause security issues; also does not fix the root cause for production.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    },
    {
      "action": "Adding custom middleware to ignore the body on OPTIONS requests",
      "why_fails": "Custom middleware may not run before CORS middleware in the pipeline, or may interfere with other request handling.",
      "fail_rate": 0.6,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Ensure the client does not send a body in OPTIONS preflight requests. For fetch API, avoid setting body on OPTIONS. Example: fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(data) }) and let the browser handle preflight without body.",
      "success_rate": 0.95,
      "how": "Ensure the client does not send a body in OPTIONS preflight requests. For fetch API, avoid setting body on OPTIONS. Example: fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(data) }) and let the browser handle preflight without body.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Configure CORS middleware to handle OPTIONS requests early by placing app.UseCors() before app.UseRouting() and app.UseEndpoints() in Startup.cs or Program.cs.",
      "success_rate": 0.85,
      "how": "Configure CORS middleware to handle OPTIONS requests early by placing app.UseCors() before app.UseRouting() and app.UseEndpoints() in Startup.cs or Program.cs.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Use a custom middleware that reads and discards the body for OPTIONS requests before CORS middleware runs. Example: app.Use(async (context, next) => { if (context.Request.Method == \"OPTIONS\") { context.Request.Body = Stream.Null; } await next(); });",
      "success_rate": 0.75,
      "how": "Use a custom middleware that reads and discards the body for OPTIONS requests before CORS middleware runs. Example: app.Use(async (context, next) => { if (context.Request.Method == \"OPTIONS\") { context.Request.Body = Stream.Null; } await next(); });",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "确保客户端在 OPTIONS 预检请求中不发送请求体。对于 fetch API，避免在 OPTIONS 中设置 body。示例：fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(data) }) 并让浏览器处理无请求体的预检。",
    "配置 CORS 中间件以提前处理 OPTIONS 请求，在 Startup.cs 或 Program.cs 中将 app.UseCors() 放在 app.UseRouting() 和 app.UseEndpoints() 之前。",
    "使用自定义中间件在 CORS 中间件运行之前读取并丢弃 OPTIONS 请求的请求体。示例：app.Use(async (context, next) => { if (context.Request.Method == \"OPTIONS\") { context.Request.Body = Stream.Null; } await next(); });"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://learn.microsoft.com/en-us/aspnet/core/security/cors",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.83,
  "fix_success_rate": 0.85,
  "resolvable": "true",
  "first_seen": "2024-05-01",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}