CORS: Incorrect Status Code For OPTIONS endpoint

[data-miner00]

Description

Hi maintainers,

At the Preflight requests section, I think there is an incorrect expectation when it mentions that if the preflight request is denied, it return a 200 OK status code without CORS headers.

AspNetCore.Docs/aspnetcore/security/cors.md

Line 366 in fde96be

If the preflight request is denied, the app returns a `200 OK` response but doesn't set the CORS headers. Therefore, the browser doesn't attempt the cross-origin request. For an example of a denied preflight request, see the [Test CORS](#testc6) section of this document.

It should be returning 204 No Content instead. I've provided a screenshot that calls the OPTIONS endpoint with invalid origin and highlighted the status code. Can you guys help to confirm this behavior?

Additionally, here is my simple setup in case you need a quick repro.

Thank you!

Page URL

https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-10.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/cors.md

Document ID

d3f332c4-4c60-039e-0e1e-bc6b11831f87

Platform Id

fa70aa3f-a2de-be8b-4255-e778a6edb8ff

Article author

@tdykstra

Metadata

• ID: 59bca5db-1196-2a8b-a0d8-4e89b2382288
• PlatformId: fa70aa3f-a2de-be8b-4255-e778a6edb8ff
• Service: aspnet-core
• Sub-service: security

Related Issues

---

Associated WorkItem - 550679

[brockallen]

I'm not sure the spec explicitly says to issue a 204: https://www.w3.org/TR/2020/SPSD-cors-20200602/#cross-origin-request-with-preflight-0. Perhaps there's a updated to the spec somewhere that does?

[data-miner00]

I think it's true that the spec mentioned 2xx instead of 204 specifically, however the docs over here refers to how CORS works in an ASP.NET Core app instead. From my test, I received 204 for the options request and hence I'll expect the behavior to be consistent with the docs. Please correct me if I am wrong, thanks!

Here is a snippet of how I enabled CORS in my setup for your reference.

// Registrations
const string MyCorsPolicy = "myCors";
builder.Services.AddCors((opt) =>
{
    opt.AddPolicy(
        name: MyCorsPolicy,
        (policy) =>
        {
            policy.WithOrigins(corsOptions.AllowedOrigins)
                  .WithHeaders(corsOptions.AllowedHeaders)
                  .WithMethods(corsOptions.AllowedMethods);
        });
});

// Middleware
app.UseCors(MyCorsPolicy);

[brockallen]

Oh I see -- you got a 204. Yep, agreed then. 👍

[copilot-swe-agent]

The agent encountered an error and was unable to start working on this issue: Before you can use Copilot coding agent, you need to pick a "Usage billed to" option in your Copilot settings. Update your settings, then try again.