# Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware: The CORS protocol does not allow a preflight request to have a body.

- **ID:** `dotnet/aspnet-core-cors-preflight-failure`
- **Domain:** dotnet
- **Category:** protocol_error
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

ASP.NET Core CORS middleware rejects a preflight OPTIONS request because it contains a body, which violates the CORS specification.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| 3.1 | active | — | — |
| 5.0 | active | — | — |
| 6.0 | active | — | — |
| 7.0 | active | — | — |
| 8.0 | active | — | — |

## Workarounds

1. **Ensure the client does not send a body in OPTIONS preflight requests. For fetch API, avoid setting body on OPTIONS. Example: fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(data) }) and let the browser handle preflight without body.** (95% success)
   ```
   Ensure the client does not send a body in OPTIONS preflight requests. For fetch API, avoid setting body on OPTIONS. Example: fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(data) }) and let the browser handle preflight without body.
   ```
2. **Configure CORS middleware to handle OPTIONS requests early by placing app.UseCors() before app.UseRouting() and app.UseEndpoints() in Startup.cs or Program.cs.** (85% success)
   ```
   Configure CORS middleware to handle OPTIONS requests early by placing app.UseCors() before app.UseRouting() and app.UseEndpoints() in Startup.cs or Program.cs.
   ```
3. **Use a custom middleware that reads and discards the body for OPTIONS requests before CORS middleware runs. Example: app.Use(async (context, next) => { if (context.Request.Method == "OPTIONS") { context.Request.Body = Stream.Null; } await next(); });** (75% success)
   ```
   Use a custom middleware that reads and discards the body for OPTIONS requests before CORS middleware runs. Example: app.Use(async (context, next) => { if (context.Request.Method == "OPTIONS") { context.Request.Body = Stream.Null; } await next(); });
   ```

## Dead Ends

- **Modifying the CORS policy to allow all headers and methods without addressing the body issue** — CORS policy configuration does not affect the protocol-level restriction on preflight request bodies. (90% fail)
- **Disabling CORS middleware entirely in development** — Disabling CORS removes cross-origin protection and may cause security issues; also does not fix the root cause for production. (70% fail)
- **Adding custom middleware to ignore the body on OPTIONS requests** — Custom middleware may not run before CORS middleware in the pipeline, or may interfere with other request handling. (60% fail)