SignalR/CORS: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’

Describe the bug

Hi! I just upgraded from ASP.NET Core 2.1.6 to 2.2.0, everything working just fine except my connections to SignalR. In the negotiation phase (using javascript client and over websocket) I get a 204 with the error

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at ‘https://localhost:44333/ChatHub/negotiate’. (Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’).

Taking a look at the request I have the following

So the server sends out a ‘*’ instead of just sending out the origin from which the request came. The app needs to allow all origins since our users can add a chat to their own site.

In my Startup.cs I have defined CORS rules as follows

services.AddCors(options => { options.AddPolicy("AllowAllOrigins", b => { b.AllowAnyOrigin() .AllowCredentials() .AllowAnyHeader() .AllowAnyMethod(); }); });

Mind that this was working on 2.1.6 and earlier versions.

In the client side code I can get the chat to work if I set skipNegotiation to true, like this connection = new signalR.HubConnectionBuilder() .withUrl(serverURL + "ChatHub", { skipNegotiation: true, transport: signalR.HttpTransportType.WebSockets }) .build(); But I’m guessing that will have it’s own consequences and is not solving the real problem.

Been reading through so many threads and I just can’t get this to work again, anyone have any ideas as to might be causing it?

To Reproduce

Steps to reproduce the behavior:

1. Using ASP.NET Core 2.2.0
2. Create a Hub, add CORS settings and use a JS client to try to connect from a origin other then where the server is running

Expected behavior

To not recieve the CORS error, instead have the server return the allowed origin as a URL instead of wildcard ‘*’ since this won’t work with credentials, which is needed for SignalR as I understand it (for sticky cookies)