Is it possible to make a preflight OPTIONS request with .NET HttpClient to perform integration test against Rest API's to test CORs behavior?
I am in the process of writing integration tests that verify our Rest APIs CORs behavior. The test solution is written against .NET Framework and we are using HttpClient
to perform all of our requests. I do understand that CORs
preflight request is sent by the browser by adding Origin
, Access-Control-Request-Method
and Access-Control-Request-Headers
headers and the returned response should contain something like akin to this:
Set-Cookie: cookie-from-server=noop Content-Length: 0 Content-Type: application/json Access-Control-Allow-Origin: https://www.test-cors.org Cache-Control: no-cache
The Rest API is configured with CORs
that allows any origin *
and allows any method *
.
With the above mentioned the response from the Rest API should include the Access-Control-Allow-Origin
header. However, the way I construct my request I am able to perform the request:
testCaseData.Headers.Add("Origin", "http://localhost:8008"); testCaseData.Headers.Add("Access-Control-Request-Method", "POST"); testCaseData.Headers.Add("Access-Control-Request-Headers", "origin content-type accept" ); testCaseData.HttpMethod = HttpMethod.Options;
This seems to always work, however the response headers that are returned, always just mirror the headers I set:
"Origin", "http://localhost:8008" "Access-Control-Request-Method", "POST" "Access-Control-Request-Headers", "origin content-type accept"
I was expecting to see Access-Control-Allow-Origin
which would allow me to Assert that if CORs
is correctly enabled those headers should be included in the response.
Any ideas how I write an integration test to test this behavior without a client, with simply .NET http client?