We welcome user feedback and feature requests!

Access-Control-Allow-Credentials not set in credentialed CORS request

Not sure if this is a bug or a feature request. This is affecting me when using Azure Functions, but I beleive this has to do with the CORS implementation in Web Apps.

Basically, the Access-Control-Allow-Credentials header is not being set in response to credentialed requests.

Someone else posted this issue in the azure functions github, but @lindydonna said this was to do with Web Apps. Original github issue is here:

The problem is also documented on the official MS developer blog here:

62 votes
Sign in
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Eric Jutrzenka shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


Sign in
Sign in with: Microsoft
Signed in as (Sign out)
  • Jason commented  ·   ·  Flag as inappropriate

    I am also hit by this issue but with a web app. The CORS functionality in Azure currently seems broken if one wants their application to be secured with Azure AD. How do people develop Angular apps locally when it seems completely impossible to connect to the backend.

  • Chris Gillum (MSFT) commented  ·   ·  Flag as inappropriate

    Thanks everyone for the discussion and for the good points you have raised. We've moved this request back into the "Under Review" status and are currently discussing how and when to implement support for Access-Control-Allow-Credentials. No timelines we can share yet, but we agree that this feature is necessary.

  • Joshua Lloyd commented  ·   ·  Flag as inappropriate

    If the portal "should not be used for CORS features", then how is it reasonable to offer a CORS configuration page for domains? This feature request is clearly for extending the support for CORS, since you've already developed partial support. If there was no support in Azure Portal at all for CORS I could reasonably understand your choice to decline. However, as it stands currently the CORS support in Azure Portal *IS* present, but is not complete. This request is to complete it. I decline your reason for declining. Please reconsider this issue. Currently, the portal is getting in the way of proper CORS responses since taking over the CORS response in user-code means working around the partial CORS support in the App Service/Portal.

  • Frank Hellwig commented  ·   ·  Flag as inappropriate

    This was a real struggle for me as well... trying to leverage App Service Authentication / Authorization (Easy Auth) locally, during development and test for my Express API app running on my localhost.

    I ended up writing an Express middleware module that works around this: https://www.npmjs.com/package/azure-easy-auth-local

    While an Express/Node.js module, the concepts can be applied in other environments as well.

  • Eric Jutrzenka commented  ·   ·  Flag as inappropriate

    The article says that it is a known issue and that what is stated in the article is a work-around and breaks the portal functionality as you have to remove all origins. Also, this isn't just to do with the portal, the same problem arises when defining via an ARM template.

  • Doug commented  ·   ·  Flag as inappropriate

    I don't understand what you're saying:
    "We’re declining this feature request since the App Service (Web Apps) CORS feature doesn’t support “supports credentials."

    Wasn't that what this request was for? To allow you to set it in the portal, so you don't have to do it manually?

Feedback and Knowledge Base