azure-functions-core-tools icon indicating copy to clipboard operation
azure-functions-core-tools copied to clipboard

Published 20 hours ago verified publisher icon Azure

"CORSCredentials": true in local.settings.json not working for local development

Open securityvoid opened this issue 4 years ago • 7 comments

Adding the CORSCredentials setting to true in local.settings.json; does not appear to result in Access-Control-Allow-Credentials: true, header being added to the HTTP Response even when a valid Origin is passed, and the proper Access-Control-Allow-Origin is returned.

The following is what I have in my local.settings.json:

{
  "IsEncrypted": false,
  "Values": {
    "FUNCTIONS_WORKER_RUNTIME": "node"
  },
  "Host": {
    "CORS": "http://localhost",
    "CORSCredentials": true
  },
  "ConnectionStrings": {}
}

I'm running version 2.0.3 of the runtime, and utilizing NodeJS.

This is an example HTTP Request to my application:

GET /api/getCSRF HTTP/1.1
Host: localhost:7071
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://localhost
Connection: close
Referer: http://localhost/
Cache-Control: max-age=0

and the HTTP Response I'm getting from the local function runtime:

HTTP/1.1 200 OK
Connection: close
Date: Tue, 09 Jun 2020 20:23:37 GMT
Content-Type: application/json; charset=utf-8
Server: Kestrel
Set-Cookie: CSRFToken=bbcb_TRUNCATED_ddef; secure; HttpOnly
Access-Control-Allow-Origin: http://localhost
Content-Length: 87

{
  "CSRFToken": "e23169a5902139e477b942cb3e171284b3fbf46911e41a4bb50814fbd297b1df"
}

I have not yet attempted this on the live Azure Functions, but I will soon and will update here.

securityvoid avatar Jun 09 '20 20:06 securityvoid