UseCORS/before/UseResponseCaching (#18910)

Rick-Anderson · web-flow · commit 8c3100cf7d4f · 2020-06-23T11:14:45.000-10:00
* UseCORS/before/UseResponseCaching

* work

* work

* work

* work
diff --git a/aspnetcore/fundamentals/middleware/index.md b/aspnetcore/fundamentals/middleware/index.md
@@ -80,7 +80,9 @@ The following `Startup.Configure` method adds security-related middleware compon
 In the preceding code:
 
 * Middleware that is not added when creating a new web app with [individual users accounts](xref:security/authentication/identity) is commented out.
-* Not every middleware needs to go in this exact order, but many do. For example, `UseCors`, `UseAuthentication`, and `UseAuthorization` must go in the order shown.
+* Not every middleware needs to go in this exact order, but many do. For example:
+  * `UseCors`, `UseAuthentication`, and `UseAuthorization` must go in the order shown.
+  * `UseCors` currently must go before `UseResponseCaching` due to [this bug](https://github.com/dotnet/aspnetcore/issues/23218).
 
 The following `Startup.Configure` method adds middleware components for common app scenarios:
 
@@ -237,7 +239,7 @@ ASP.NET Core ships with the following middleware components. The *Order* column
 | [Authentication](xref:security/authentication/identity) | Provides authentication support. | Before `HttpContext.User` is needed. Terminal for OAuth callbacks. |
 | [Authorization](xref:Microsoft.AspNetCore.Builder.AuthorizationAppBuilderExtensions.UseAuthorization*) | Provides authorization support. | Immediately after the Authentication Middleware. |
 | [Cookie Policy](xref:security/gdpr) | Tracks consent from users for storing personal information and enforces minimum standards for cookie fields, such as `secure` and `SameSite`. | Before middleware that issues cookies. Examples: Authentication, Session, MVC (TempData). |
-| [CORS](xref:security/cors) | Configures Cross-Origin Resource Sharing. | Before components that use CORS. |
+| [CORS](xref:security/cors) | Configures Cross-Origin Resource Sharing. | Before components that use CORS. `UseCors` currently must go before `UseResponseCaching` due to [this bug](https://github.com/dotnet/aspnetcore/issues/23218).|
 | [Diagnostics](xref:fundamentals/error-handling) | Several separate middlewares that provide a developer exception page, exception handling, status code pages, and the default web page for new apps. | Before components that generate errors. Terminal for exceptions or serving the default web page for new apps. |
 | [Forwarded Headers](xref:host-and-deploy/proxy-load-balancer) | Forwards proxied headers onto the current request. | Before components that consume the updated fields. Examples: scheme, host, client IP, method. |
 | [Health Check](xref:host-and-deploy/health-checks) | Checks the health of an ASP.NET Core app and its dependencies, such as checking database availability. | Terminal if a request matches a health check endpoint. |
@@ -247,7 +249,7 @@ ASP.NET Core ships with the following middleware components. The *Order* column
 | [HTTP Strict Transport Security (HSTS)](xref:security/enforcing-ssl#http-strict-transport-security-protocol-hsts) | Security enhancement middleware that adds a special response header. | Before responses are sent and after components that modify requests. Examples: Forwarded Headers, URL Rewriting. |
 | [MVC](xref:mvc/overview) | Processes requests with MVC/Razor Pages. | Terminal if a request matches a route. |
 | [OWIN](xref:fundamentals/owin) | Interop with OWIN-based apps, servers, and middleware. | Terminal if the OWIN Middleware fully processes the request. |
-| [Response Caching](xref:performance/caching/middleware) | Provides support for caching responses. | Before components that require caching. |
+| [Response Caching](xref:performance/caching/middleware) | Provides support for caching responses. | Before components that require caching. `UseCORS` must come before `UseResponseCaching`.|
 | [Response Compression](xref:performance/response-compression) | Provides support for compressing responses. | Before components that require compression. |
 | [Request Localization](xref:fundamentals/localization) | Provides localization support. | Before localization sensitive components. |
 | [Endpoint Routing](xref:fundamentals/routing) | Defines and constrains request routes. | Terminal for matching routes. |
diff --git a/aspnetcore/fundamentals/middleware/index/snapshot/StartupAll3.cs b/aspnetcore/fundamentals/middleware/index/snapshot/StartupAll3.cs
@@ -53,6 +53,7 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             app.UseAuthentication();
             app.UseAuthorization();
             // app.UseSession();
+            // app.UseResponseCaching();
 
             app.UseEndpoints(endpoints =>
             {
diff --git a/aspnetcore/performance/caching/middleware.md b/aspnetcore/performance/caching/middleware.md
@@ -29,7 +29,10 @@ In `Startup.ConfigureServices`, add the Response Caching Middleware to the servi
 
 Configure the app to use the middleware with the <xref:Microsoft.AspNetCore.Builder.ResponseCachingExtensions.UseResponseCaching*> extension method, which adds the middleware to the request processing pipeline in `Startup.Configure`:
 
-[!code-csharp[](middleware/samples/3.x/ResponseCachingMiddleware/Startup.cs?name=snippet2&highlight=16)]
+[!code-csharp[](middleware/samples/3.x/ResponseCachingMiddleware/Startup.cs?name=snippet2&highlight=17)]
+
+> [!WARNING]
+> <xref:Owin.CorsExtensions.UseCors%2A> must be called before <xref:Microsoft.AspNetCore.Builder.ResponseCachingExtensions.UseResponseCaching%2A> when using [CORS middleware](xref:security/cors).
 
 The sample app adds headers to control caching on subsequent requests:
 
diff --git a/aspnetcore/performance/caching/middleware/samples/3.x/ResponseCachingMiddleware/Startup.cs b/aspnetcore/performance/caching/middleware/samples/3.x/ResponseCachingMiddleware/Startup.cs
@@ -30,8 +30,9 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             }
 
             app.UseStaticFiles();
-
             app.UseRouting();
+            // UseCors must be called before UseResponseCaching
+            // app.UseCors("myAllowSpecificOrigins");
 
             app.UseResponseCaching();
 
diff --git a/aspnetcore/security/cors.md b/aspnetcore/security/cors.md
@@ -53,6 +53,9 @@ There are three ways to enable CORS:
 
 Using the [[EnableCors]](#attr) attribute with a named policy provides the finest control in limiting endpoints that support CORS.
 
+> [!WARNING]
+> <xref:Owin.CorsExtensions.UseCors%2A> must be called before <xref:Microsoft.AspNetCore.Builder.ResponseCachingExtensions.UseResponseCaching%2A> when using `UseResponseCaching`.
+
 Each approach is detailed in the following sections.
 
 <a name="np"></a>
@@ -61,14 +64,15 @@ Each approach is detailed in the following sections.
 
 CORS Middleware handles cross-origin requests. The following code applies a CORS policy to all the app's endpoints with the specified origins:
 
-[!code-csharp[](cors/3.1sample/Cors/WebAPI/Startup.cs?name=snippet&highlight=3,9,31)]
+[!code-csharp[](cors/3.1sample/Cors/WebAPI/Startup.cs?name=snippet&highlight=3,9,32)]
 
 The preceding code:
 
 * Sets the policy name to `_myAllowSpecificOrigins`. The policy name is arbitrary.
 * Calls the <xref:Microsoft.AspNetCore.Builder.CorsMiddlewareExtensions.UseCors*> extension method and specifies the  `_myAllowSpecificOrigins` CORS policy. `UseCors` adds the CORS middleware. The call to `UseCors` must be placed after `UseRouting`, but before `UseAuthorization`. For more information, see [Middleware order](xref:fundamentals/middleware/index#middleware-order).
 * Calls <xref:Microsoft.Extensions.DependencyInjection.CorsServiceCollectionExtensions.AddCors*> with a [lambda expression](/dotnet/csharp/programming-guide/statements-expressions-operators/lambda-expressions). The lambda takes a <xref:Microsoft.AspNetCore.Cors.Infrastructure.CorsPolicyBuilder> object. [Configuration options](#cors-policy-options), such as `WithOrigins`, are described later in this article.
 * Enables the `_myAllowSpecificOrigins` CORS policy for all controller endpoints. See [endpoint routing](#ecors) to apply a CORS policy to specific endpoints.
+* When using [Response Caching Middleware](xref:performance/caching/middleware), call <xref:Owin.CorsExtensions.UseCors%2A> before <xref:Microsoft.AspNetCore.Builder.ResponseCachingExtensions.UseResponseCaching%2A>.
 
 With endpoint routing, the CORS middleware **must** be configured to execute between the calls to `UseRouting` and `UseEndpoints`.
 
diff --git a/aspnetcore/security/cors/3.1sample/Cors/WebAPI/Startup.cs b/aspnetcore/security/cors/3.1sample/Cors/WebAPI/Startup.cs
@@ -25,6 +25,7 @@ public void ConfigureServices(IServiceCollection services)
                                   });
             });
 
+            // services.AddResponseCaching();
             services.AddControllers();
         }
         #endregion
@@ -42,6 +43,8 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
 
             app.UseCors(MyAllowSpecificOrigins);
 
+            // app.UseResponseCaching();
+
             app.UseAuthorization();
 
             app.UseEndpoints(endpoints =>

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)`
`53`	`53`	`app.UseAuthentication();`
`54`	`54`	`app.UseAuthorization();`
`55`	`55`	`// app.UseSession();`
	`56`	`+ // app.UseResponseCaching();`
`56`	`57`
`57`	`58`	`app.UseEndpoints(endpoints =>`
`58`	`59`	`{`
Original file line number	Diff line number	Diff line change
`@@ -30,8 +30,9 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`app.UseStaticFiles();`
`33`		`-`
`34`	`33`	`app.UseRouting();`
	`34`	`+ // UseCors must be called before UseResponseCaching`
	`35`	`+ // app.UseCors("myAllowSpecificOrigins");`
`35`	`36`
`36`	`37`	`app.UseResponseCaching();`
`37`	`38`