CORS missing 'Access-Control-Allow-Methods'

Question

I have configured an OpenApi endpoint, but some services fail to connect.

For example Built.io Flows can read the OpenAPI spec (JSON), but crashes when I select an operation, and Azure logic apps tells me there is a potential CORS issue when importing the OpenApi spec.

Other services work correctly though, like:

• https://editor.swagger.io/
• https://apidevtools.org/swagger-parser/online/index.html

They correctly fetch the OpenApi doc (v3.0.1) and mark it as valid.

To debug the issue I have temporary allowed all methods, origins and headers.

This is the example output of a pre-flight request:

curl --request OPTIONS
  --url https://my-endpoint
  --header 'accept: application/json'
  --header 'access-control-request-headers: X-Test'
  --header 'access-control-request-method: GET'
  --header 'origin: https://flow.built.io'
  --head

And response:

HTTP/1.1 200 OK
Cache-Control: no-store
Server:
X-Frame-Options: DENY
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Test
Access-Control-Max-Age: 60
X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcYWFtXFNDSFxzdHlsZWxhYnMubVxzcmNcU3R5bGVsYWJzLk0uUG9ydGFsLldlYi5VSVx2MVxvcGVuYXBpXERlbW9Eb21haW4=?=
X-Content-Type-Options: nosniff
Date: Wed, 07 Aug 2019 11:21:01 GMT
Content-Length: 0

The actual request:

  curl --request GET 
  --url https://my-endpoint
  --header 'accept: application/json'
  --header 'origin: https://flow.built.io'
  --head

And response:

HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 775
Content-Type: application/json; charset=utf-8
ETag: "Lk4Y9t0X5UEvgxtRUQ0MGoqYu4l4cN53Ji5NpB3lhzI="
Server:
X-Frame-Options: DENY
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: *
X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcYWFtXFNDSFxzdHlsZWxhYnMubVxzcmNcU3R5bGVsYWJzLk0uUG9ydGFsLldlYi5VSVx2MVxvcGVuYXBpXERlbW9Eb21haW4=?=
X-Content-Type-Options: nosniff
Date: Wed, 07 Aug 2019 11:26:00 GMT

The CORS headers look correct to me, but the 'Access-Control-Allow-Methods' is missing? Can this be the issue?

I'm using ASP.NET Framework with 'Microsoft.AspNet.WebApi.Cors' 5.2.7, configured as described here https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api

On my controller I have this attribute:

    [EnableCors(origins: "*", headers: "*", methods: "*", exposedHeaders: "*", PreflightMaxAge = 60)]

Answer 1

I found the issue... Built.io and Azure logic apps do not support Swagger/OpenApi version 3. The problem was not CORS, even though it was stated so by Azure logic apps.