CORS header not being set for internal server error response

[mo-esmp]

For internal server error, there are no access-control-* headers in the response. As far as I know
this issue should be fixed since ASP.NET Core 2.2.

Here is my CORS configuration:

services.AddCors(options =>
{
    options.AddPolicy(name: "AllowedOrigins",
        policyBuilder =>
        {
            var urls = Configuration.GetSection("Host:AllowedOrigins").Get<List<string>>();
            policyBuilder.WithOrigins(urls.ToArray())
                .AllowAnyMethod()
                .AllowAnyHeader()
                .SetIsOriginAllowed((host) => true)
                .AllowCredentials();
        });
});

And in Configure method :

app.UseRouting();

app.UseCors("AllowedOrigins");
app.UseAuthentication();
app.UseAuthorization();

app.UseEndpoints(endpoints =>
{
    endpoints.MapControllers();
});

Further technical details

- ASP.NET Core version: 3.1

.NET Core SDK (reflecting any global.json):
 Version:   3.1.202
 Commit:    6ea70c8dca

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\3.1.202\

Host (useful for support):
  Version: 3.1.4
  Commit:  0c2e69caa6

.NET Core SDKs installed:
  1.0.0 [C:\Program Files\dotnet\sdk]
  2.1.802 [C:\Program Files\dotnet\sdk]
  2.2.402 [C:\Program Files\dotnet\sdk]
  3.1.200 [C:\Program Files\dotnet\sdk]
  3.1.202 [C:\Program Files\dotnet\sdk]
- Visual Studio 15.6

[sackri10]

After seeing the Code fix done as part of Issue #2378. I feel like the fix is not considered for latest code.

[mkArtakMSFT]

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

[Entroper]

I know this seems insignificant, but this is a thorn in my side when helping newer developers debug. Every 500, 404, 401/403 etc. is reported by the browser as a CORS error. A lot of time is wasted chasing these red herrings when the real issue has nothing to do with CORS.

[pavlexander]

hey, I've been struggling with the same issue and following solution seems to have worked:

app.UseExceptionHandler(exceptionHandlerApp =>
{
    exceptionHandlerApp.Run(async context =>
    {
        context.Response.StatusCode = StatusCodes.Status500InternalServerError;
    });
});

app.UseCors(...);

I have made an answer on StackOverflow https://stackoverflow.com/a/71695813/1215913

There is also an explanation provided by another author why the solution works.

Happy coding :)

[lnxph-devops-sareno]

I had the same issue. As a workaround, I added a new middleware that act as a global exception handler:

var app = builder.Build();

app.Use(async (context, next) =>
{
        try
        {
            await next(context);
        }
        catch (Exception e)
        {
            context.Response.StatusCode = StatusCodes.Status500InternalServerError;
            await context.Response.WriteAsync(e.ToString());
        }
});

app.UseCors();

[filipbekic01]

We spent hours and hours trying to figure out what's wrong with internal server response. First we thought it's our proxy cutting the response but no, it's dotnet. Hope for the best.