# 从源 'https://app.example.com' 对 'https://api.example.com' 的 XMLHttpRequest 访问已被 CORS 策略阻止：预检请求的响应未通过访问控制检查：它没有 HTTP 正常状态。

- **ID:** `dotnet/aspnetcore-cors-preflight-failure`
- **领域:** dotnet
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 87%

## 根因

CORS 预检 OPTIONS 请求失败，因为服务器未返回 200 状态或缺少必需的 CORS 头（例如 Access-Control-Allow-Origin）。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| dotnet 6.0 | active | — | — |
| dotnet 8.0 | active | — | — |
| ASP.NET Core 6.0 | active | — | — |
| ASP.NET Core 8.0 | active | — | — |

## 解决方案

1. ```
   Configure ASP.NET Core CORS middleware to handle preflight requests correctly. Example in Program.cs:
   ```
2. ```
   If using custom middleware, ensure OPTIONS requests return 200 with appropriate headers before other middleware.
   ```
3. ```
   For development, use a proxy in the client app (e.g., in React or Angular) to avoid CORS entirely.
   ```

## 无效尝试

- **** — Only works locally; production browsers enforce CORS, breaking the app for real users. (95% 失败率)
- **** — Preflight still fails if the server returns 404 or 500 for OPTIONS; the header alone is not enough. (80% 失败率)
- **** — CORS with credentials requires specific headers (Access-Control-Allow-Credentials: true) and cannot use wildcard origin. (85% 失败率)