SignalR Core 2.2 CORS AllowAnyOrigin() breaking change

Question

To connect via SignalR to an ASP.NET Core 2.1 server from any origin, we had to configure the pipeline as follows:

app.UseCors (
  builder => builder
   .AllowAnyHeader ()
   .AllowAnyMethod ()
   .AllowAnyOrigin ()
   .AllowCredentials ()
)

According to this document, ASP.NET Core 2.2 no longer allows the combination of AllowAnyOrigin and AllowCredentials, so what would be the solution? Whereas the SignalR Core always sends withCredentials:true in the XMLHtppRequest.

What I need is that from any origin and without credentials, our users can connect to the SignalR Hub.

Answer 1

There is a workaround, change AllowAnyOrigin to SetIsOriginAllowed:

app.UseCors(builder => builder
                .AllowAnyHeader()
                .AllowAnyMethod()
                .SetIsOriginAllowed(_ => true)
                .AllowCredentials()
            );

Answer 2

You can use the "WithOrigins" method passing the origins, maybe read by configuration.

app.UseCors(builder => builder
            .AllowAnyHeader()
            .AllowAnyMethod()
            .WithOrigins(new string[] { "www.example1.com", "www.example2.com" })
            .AllowCredentials()
        );

If the only string passed is " * " you still have problems with signalR. If you pass many strings and one of them is " * ", it works.