How to fix "The CORS protocol does not allow specifying a wildcard (any) origin and credentials at the same time" error

I had the same issue and I removed AllowCredentials() that fixed the issue for me.


You should have provided the rest of your code... Is this a Blazor client application or Razor Components application (formally known as Server-Side Blazor) ? I guess this is a Blazor client application, right ? Why do you instantiate an HttpClient ? You should use DI (Perhaps Constructor Injection) instead, injecting an HttpClient instance provided by Blazor itself.

The problem is probably server side, though it surfaces as a client one... Try the following:

Get https://www.nuget.org/packages/Microsoft.AspNetCore.Cors/

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddPolicy("CorsPolicy",
            builder => builder.AllowAnyOrigin()
                .AllowAnyMethod()
                .AllowAnyHeader());
    });
     .....
}

And this:

public void Configure(IApplicationBuilder app, IHostingEnvironment env)    
{
      app.UseCors("CorsPolicy");
}

Note, once again: CORS needs to be enabled on the server side, not in blazor. See https://docs.microsoft.com/en-us/aspnet/core/security/cors for details on how to enable CORS in ASP.NET Core.

Blazor:

 @page "/<template>"
 @inject HttpClient Http


@functions {

    protected override async Task OnInitAsync()
    {
        var response= await Http.GetJsonAsync<string>    
                      ("https://example.com?prm=2");

    }

}  

Hope this helps...


It's little bit late, but I hope it could be helpful for someone.

If you want AllowCredentials() and AllowAnyOrigin() together just use SetIsOriginAllowed(Func<string,bool> predicate)

doc about IsOriginAllowed

        services
            .AddCors(options =>
            {
                options.AddPolicy("CorsPolicy",
                    builder => builder
                    .AllowAnyOrigin()
                    .AllowAnyMethod()
                    .AllowAnyHeader()
                    );

                options.AddPolicy("signalr",
                    builder => builder
                    .AllowAnyMethod()
                    .AllowAnyHeader()

                    .AllowCredentials()
                    .SetIsOriginAllowed(hostName => true));
            });