dotnet
auth_error
ai_generated
true
Access to XMLHttpRequest at 'https://api.example.com' from origin 'https://app.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
ID: dotnet/aspnetcore-cors-preflight-failure
87%Fix Rate
84%Confidence
1Evidence
2023-04-18First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| dotnet 6.0 | active | — | — | — |
| dotnet 8.0 | active | — | — | — |
| ASP.NET Core 6.0 | active | — | — | — |
| ASP.NET Core 8.0 | active | — | — | — |
Root Cause
CORS preflight OPTIONS request fails because the server does not respond with a 200 status or missing required CORS headers (e.g., Access-Control-Allow-Origin).
generic中文
CORS 预检 OPTIONS 请求失败,因为服务器未返回 200 状态或缺少必需的 CORS 头(例如 Access-Control-Allow-Origin)。
Official Documentation
https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-8.0Workarounds
-
90% success Configure ASP.NET Core CORS middleware to handle preflight requests correctly. Example in Program.cs:
Configure ASP.NET Core CORS middleware to handle preflight requests correctly. Example in Program.cs:
-
85% success If using custom middleware, ensure OPTIONS requests return 200 with appropriate headers before other middleware.
If using custom middleware, ensure OPTIONS requests return 200 with appropriate headers before other middleware.
-
80% success For development, use a proxy in the client app (e.g., in React or Angular) to avoid CORS entirely.
For development, use a proxy in the client app (e.g., in React or Angular) to avoid CORS entirely.
中文步骤
Configure ASP.NET Core CORS middleware to handle preflight requests correctly. Example in Program.cs:
If using custom middleware, ensure OPTIONS requests return 200 with appropriate headers before other middleware.
For development, use a proxy in the client app (e.g., in React or Angular) to avoid CORS entirely.
Dead Ends
Common approaches that don't work:
-
95% fail
Only works locally; production browsers enforce CORS, breaking the app for real users.
-
80% fail
Preflight still fails if the server returns 404 or 500 for OPTIONS; the header alone is not enough.
-
85% fail
CORS with credentials requires specific headers (Access-Control-Allow-Credentials: true) and cannot use wildcard origin.