The CorsPolicyBuilder
‘s AllowAnyHeader
method configures the Access-Control-Allow-Headers
response header, which is used only for preflighted requests. The Access-Control-Expose-Headers
response header is what’s needed, which is configured using WithExposedHeaders
.
Here’s a complete example:
services.AddCors(options =>
{
options.AddPolicy("AllowAll", builder =>
{
builder.AllowAnyHeader()
.AllowAnyMethod()
.AllowAnyOrigin()
.AllowCredentials()
.WithExposedHeaders("Location"); // params string[]
});
});