Azure Functions Access-Control-Allow-Credentials with CORS

There is a known issue documented on GitHub here with a title of Cross origin http request CORS fails with response header missing ‘Access-Control-Allow-Credentials: true’. Although the issue described and a solution provided, I thought I would write up what I did as I use C# and didn’t see any examples of that, so here goes.

Description

I expect this to be temporary as you see in the GitHub article the solution is in the backlog. I just learned a lot about these features Azure Functions and CORS while working on this issue and wanted to document my learning.

When a client sends an Origin header to the server, the client would expect a result with the Access-Control-Allow-Origin header with a value of the allowed origin, if it matches the supplied Origin from the client. Figure 1.

Figure 1, Access-Control-Allow-Origin and Access-Control-Allow-Credentials with an Azure Function

This is what CORS is Cross-Origin Resource Sharing. Sometimes you need to add an additional header called Access-Control-Allow-Credentials in addition to the Access-Control-Allow-Origin header. Issue is, if you update your code to add that header it does not make it to the client from the Azure Function unless you remove all the allowed origins from the CORS list. But, if you remove all the allowed origins from the CORS blade in the portal then you cannot run the function from within the portal. If you remove all the CORS values, you will see an error like that in Figure 2.

Error: CORS is not configured for this function app. Please add https://functions.azure.com to your CORS list. Session Id: Timesatmp:

Figure 2, Access-Control-Allow-Origin and Access-Control-Allow-Credentials with an Azure Function

If you add the headers to the Azure Function like this and remove all the allowed origins, then you will get the headers, Figure 3.

... var origin = req.Headers.GetValues("Origin").FirstOrDefault(); ... var response = req.CreateResponse(HttpStatusCode.OK, "Hello " + name);

if (req.Headers.Contains("Origin")) { response.Headers.Add("Access-Control-Allow-Credentials", "true"); response.Headers.Add("Access-Control-Allow-Origin", origin); response.Headers.Add("Access-Control-Allow-Methods", "GET, OPTIONS"); } return response; ...

Figure 3, Access-Control-Allow-Origin and Access-Control-Allow-Credentials with an Azure Function

Solution

Until the official solution is provided you need to determine if this workaround works for you or not.

You can use the Visual Studio Tools for Azure Functions which I discuss here.

Then you can troubleshoot and test your Azure Function locally which I discuss here.

curl -H "Origin: https://www.contoso.com" -G http://localhost:7071/api/SayHello?code=1cee54a4238f471fa4d6dca74c2807bc -d name=Benjamin -v

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

The Best C# Programmer In The World - Benjamin Perkins

articles about C# and numerous other technologies

Description

Solution