Request: Configure CORS for StaticWebApp #588
Comments
Strepto
changed the title
|
@Strepto Have you tried setting this up using a You can also enable those headers for a specific route. See an example in the SWA playground. Let me know if that solved your issue. |
|
This works great, and I did not know about this. We would like to be able to whitelist/allowlist multiple domains. So that would be a further feature request. As far as I know the allow origin header is for a single domain at a time (OR wildcard). |
Can you maybe give an staticwebapp.config.json example for doing so? Having |
Unfortunately, it doesn’t work for me. But the same server code can work in Vercel, so I don’t think that’s related to my server settings. |
|
@manekinekko can you verify this solution is still working? I have added the globalHeaders as well to the staticwebapp.config.json. But without success. On my static web app my API is not available from my localhost: Any idea? |
I think you are using NextJS, right? No CORS for nextjs for now |
|
@xiningli We are using C# for API and for SWA we use Angular / Typescript. |
|
won't work for nextjs... and the next.config.js also won't work for async headers() |
|
@xiningli - We're running into the same issue - using NextJS 13. Stuck on CORS issue. globalHeaders, nextConfig - all don't work. How did you fix the issue? Thx. |
|
I'm having trouble getting CORS requests to API (function) endpoints in an Azure Static Web App to work with custom headers (and, in fact, it seems any non-"simple" CORS request). My Note: I'm also adding these headers within the function response, but the failure happens at preflight, NOT function execution. Requests go through without the custom header, but have a CORS preflight failure when the custom header is added. It seems that any request that triggers a preflight to an My guess is that there is something else in Azure Static Web Apps that's blocking non-simple requests to API routes. However, this does not happen in the command line simulator ( The use case here is that we are building a shared data service used by multiple small & independent applications, and while in principle we could set up a proxy for each application to the data service (which would also avoid the latency penalty from CORS preflight requests), in practice that adds a lot of complexity to the system, since we then have N proxies/backends to monitor & maintain in addition to the data service, rather than 1 universal data service (and a bunch of front-end-only applications). EDIT: late night update... I just found a solution to controlling CORS preflight responses on api endpoints! Yay! I guess the problem was in the chair (me), not in the computer... You can adjust the function host.json settings to include custom headers that allow cross origin requests. I added the following to "extensions": {
"http": {
"routePrefix": "api",
"customHeaders": {
"Access-Control-Allow-Headers": "x-custom",
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "*"
}
}
}Now, the preflights pass and CORS is working. It would probably be nice to have a hint about this in the documentation. The way I read the "Global headers" section was that these headers would be applied to every response in the static web app—including the api—when in reality they only (seem) to apply to static content, and the managed functions API's headers are controlled in In retrospect, this makes sense, but it sure took me a lot of time to figure out... |
Is your feature request related to a problem? Please describe.
We are creating a solution where the files hosted on our static web app should also be available from a separate website.
Currently that is blocked by CORS, and I cannot find a way to configure it.
The use-case we have is a shared "Portal" website that is embedding different web-apps on separate domains. This means that releases of the web-apps are independent of the portal, but that the portal needs to access these various services from the browser.
We are currently hosting these web-apps on AppService, but would like to use static apps instead. But we are blocked by CORS in the browser, and cannot find a way to enable
Is there any plans for adding CORS configuration?
Describe the solution you'd like
Exposed CORS whitelist for specific domains.
Describe alternatives you've considered
N/A
The text was updated successfully, but these errors were encountered: