Azure APIM - CORS policy

Question

Hello,

I am currently facing issue with CORS issue in Azure APIM with my API.

I added below CORS policy Inbound only to my API on All Operations, where for testing in I have kept all open where I am allowing any Origin, Header and Methods.

This is still not resolving CORS error on client side. When I enable CORS policy at global level it resolve the CORS on client side and able to get resources.

Any help resolving this issue will be appreciated. Thank you for your help in advance.

<policies>
    <inbound>
        <base />
        <cors allow-credentials="false">
            <allowed-origins>
                <origin>*</origin>
            </allowed-origins>
            <allowed-methods preflight-result-max-age="300">
                <method>*</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
            <expose-headers>
                <header>*</header>
            </expose-headers>
        </cors>
        <choose>
            <when condition="@(context.Request.Headers.GetValueOrDefault("Api-Environment","").Equals("DEV", StringComparison.OrdinalIgnoreCase))">
                <set-backend-service base-url="{{dev-backend-service}}/api/v1/" />
            </when>
            <when condition="@(context.Request.Headers.GetValueOrDefault("Api-Environment","").Equals("DEV11", StringComparison.OrdinalIgnoreCase))">
                <set-backend-service base-url="{{dev11-backend-service}}/api/v1/" />
            </when>
            <when condition="@(context.Request.Headers.GetValueOrDefault("Api-Environment","").Equals("DEV12", StringComparison.OrdinalIgnoreCase))">
                <set-backend-service base-url="{{dev12-backend-service}}/api/v1/" />
            </when>
            <when condition="@(context.Request.Headers.GetValueOrDefault("Api-Environment","").Equals("DEV13", StringComparison.OrdinalIgnoreCase))">
                <set-backend-service base-url="{{dev13-backend-service}}/api/v1/" />
            </when>
            <otherwise>
                <return-response>
                    <set-status code="400" reason="Bad Request" />
                    <set-header name="Content-Type" exists-action="override">
                        <value>application/json</value>
                    </set-header>
                    <set-body>{
                    "errorCode": "400",
                    "errorMessage": "Invalid Api-Environment header's value. Value must be DEV, DEV11, DEV12, or DEV13"
                    }</set-body>
                </return-response>
            </otherwise>
        </choose>
    </inbound>
    <backend>
        <base />
    </backend>
    <on-error>
        <base />
    </on-error>
    <outbound>
        <base />
        <set-header name="Access-Control-Allow-Origin" exists-action="override">
            <value>@(context.Request.Headers.GetValueOrDefault("Origin",""))</value>
        </set-header>
        <set-header name="Access-Control-Allow-Methods" exists-action="override">
            <value>POST</value>
        </set-header>
        <set-header name="Access-Control-Allow-Headers" exists-action="override">
            <value>Content-Type</value>
        </set-header>
        <set-header name="Access-Control-Allow-Credentails" exists-action="override">
            <value>true</value>
        </set-header>
    </outbound>
</policies>

Answer 1

@Ghawali, Avinash (AssetMark) Thanks for reaching out. Based on the description, it seems that You're experiencing CORS issues even after adding an Inbound CORS policy to your API on all operations.

Could you please share your effective policy? also please check the scenario 5 in the following blog https://techcommunity.microsoft.com/t5/azure-paas-blog/how-to-troubleshoot-cors-error-in-azure-api-management-service/ba-p/2241695 and let me know if this helps.

do let me know incase of further queries, I would be happy to assist you.