Core 2.1 refuses to respond with Access-Control-Expose-Headers: *

Question

I must be doing something wrong here but I can\'t figure it out; it seems to be a CORS issue from what I can tell. I need to expose Access-Control-Expose-Headers: *

Answer 1

The CorsPolicyBuilder's AllowAnyHeader method configures the Access-Control-Allow-Headers response header, which is used only for preflighted requests. The Access-Control-Expose-Headers response header is what's needed, which is configured using WithExposedHeaders.

Here's a complete example:

services.AddCors(options =>
{
    options.AddPolicy("AllowAll", builder =>
    {
        builder.AllowAnyHeader()
               .AllowAnyMethod()
               .AllowAnyOrigin()
               .AllowCredentials()
               .WithExposedHeaders("Location"); // params string[]
    });
});