question

SanchitaSengupta-2560 avatar image
0 Votes"
SanchitaSengupta-2560 asked ChaitanyaNaykodiMSFT-9638 answered

Cors error being thrown from APIM developer portal for return-response policy

I am trying to run my APIM API from.developer portal. I have added the full CORS policy as below:

<cors>
<allowed-origins>
<origin></origin>
</allowed-origins>
<allowed-methods>
<method>GET</method>
<method>POST</method>
<method>PUT</method>
<method>DELETE</method>
<method>HEAD</method>
<method>OPTIONS</method>
<method>PATCH</method>
<method>TRACE</method>
</allowed-methods>
<allowed-headers>
<header>
</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>

It works fine until i add return-response policy within on-error - then it again starts throwing the cors policy error- asking to enable cors on browser, even though cors already is enabled. Is there any other cors tag to add?

My on-error code:
<on-error>
<choose>
<when condition="@(context.Response.StatusCode != 200)">
<return-response>
<set-status code="@(context.Response.StatusCode)" reason="@(context.LastError.Reason)" />
<set-body>
new JProperty("Error Reason", context.LastError.Reason)
).ToString();
}</set-body>
</return-response>
</when>
<otherwise />
</choose>
<base />
</on-error>


I have checked after changing origin * to origin as link of the dev portal - I get the same error

The policy works on postman.

azure-api-management
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just an update - for some strange reason the asterisk isnt showing after I save the full question here- tried saving a few times. Both origin and header are set to asterisk

0 Votes 0 ·

1 Answer

ChaitanyaNaykodiMSFT-9638 avatar image
0 Votes"
ChaitanyaNaykodiMSFT-9638 answered

Hello @SanchitaSengupta-2560, Welcome to Microsoft Q&A! Thanks for posting the question.

Can you please confirm if you have the cors policy applied at Global API level or at product level? I ask because based on the information here if you apply the CORS policy in the Product scope, instead of the API(s) scope, and your API uses subscription key authentication through a header, your console won't work. The browser automatically issues an OPTIONS HTTP request, which doesn't contain a header with the subscription key. Because of the missing subscription key, API Management can't associate the OPTIONS call with a Product, so it can't apply the CORS policy. As a workaround you can pass the subscription key in a query parameter.
Please let me know if there are any concerns. Thank you!


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.