# Access to XMLHttpRequest at 'https://api.example.com' from origin 'https://app.example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

- **ID:** `dotnet/aspnetcore-cors-preflight-failure`
- **Domain:** dotnet
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 87%

## Root Cause

CORS preflight OPTIONS request fails because the server does not respond with a 200 status or missing required CORS headers (e.g., Access-Control-Allow-Origin).

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| dotnet 6.0 | active | — | — |
| dotnet 8.0 | active | — | — |
| ASP.NET Core 6.0 | active | — | — |
| ASP.NET Core 8.0 | active | — | — |

## Workarounds

1. **Configure ASP.NET Core CORS middleware to handle preflight requests correctly. Example in Program.cs:** (90% success)
   ```
   Configure ASP.NET Core CORS middleware to handle preflight requests correctly. Example in Program.cs:
   ```
2. **If using custom middleware, ensure OPTIONS requests return 200 with appropriate headers before other middleware.** (85% success)
   ```
   If using custom middleware, ensure OPTIONS requests return 200 with appropriate headers before other middleware.
   ```
3. **For development, use a proxy in the client app (e.g., in React or Angular) to avoid CORS entirely.** (80% success)
   ```
   For development, use a proxy in the client app (e.g., in React or Angular) to avoid CORS entirely.
   ```

## Dead Ends

- **** — Only works locally; production browsers enforce CORS, breaking the app for real users. (95% fail)
- **** — Preflight still fails if the server returns 404 or 500 for OPTIONS; the header alone is not enough. (80% fail)
- **** — CORS with credentials requires specific headers (Access-Control-Allow-Credentials: true) and cannot use wildcard origin. (85% fail)