api management (new developer portal) - octet-stream - gives cors error but other methods don't

Question

on the old portal it opens the file and shows a portion of it in the output. On the new portal i get *Unable to complete the request Since the browser initiates the request, it requires Cross-Origin Resource Sharing (CORS) enabled on the server *. I was getting cors error for all calls until i added the policy as shown below (site masked for privacy) at the inbound global level

<cors allow-credentials="true"> <allowed-origins> <origin>mydevportallink</origin> </allowed-origins> <allowed-methods> <method>GET</method> </allowed-methods> <allowed-headers> <header>*</header> </allowed-headers> </cors>

Now all the methods work except one that produces a octet-stream sourced from a file created in azure blob. The backend api essentially sends a redirect to the file url. am i missing something in the cors config that will allow this to work?

dev tools trace - (hidden domains for privacy)

api-details#api=hidden&operation=query:1 Access to XMLHttpRequest at 'https://hidden.blob.core.windows.net/temp/temp/8b1e1a9b-da87-47a2-b749-74c755d0e269.csv?sv=2019-07-07&sr=b&sig=QrLJBdD0DvxsZjStgVbuwxYo0Hq2Ocdmi7h4twnmNE4%3D&se=2021-03-04T21%3A04%3A49Z&sp=r&rscd=attachment%3B%20filename%3D20210304%2017%3A04.csv' (redirected from 'https://hidden-apim.azure-api.net/query?data_area=hidden&output_format=csv&sample=false') from origin 'https://hidden-apim.developer.azure-api.net' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'https://hidden-apim.developer.azure-api.net' that is not equal to the supplied origin.

Answer 1

@Wayne Theron Since your API is redirecting directly to Blob Storage, CORS has to be setup there as well since the browser makes the call directly. Check the official doc for setting up CORS for Azure Storage for more details.

The same can be set from the portal as well like below