The CORS Policy for SignalR also requires allowing DELETE

[Tragetaschen]

Description

The list currently mentions only POST and GET, but for the Long Polling transport, DELETE is issued by the client as well:

https://github.com/dotnet/aspnetcore/blob/v10.0.2/src/SignalR/clients/ts/signalr/src/LongPollingTransport.ts#L173-L184

Page URL

https://learn.microsoft.com/en-us/aspnet/core/signalr/security?view=aspnetcore-10.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/signalr/security.md

Document ID

58e87eb0-240b-ab00-c5f4-32a0ab2e0028

Platform Id

be1a5417-78c4-e115-0552-09f7ddc509c4

Article author

@wadepickett

Metadata

• ID: 8af11946-ea05-3be2-6fa1-c4c01aa76d8c
• PlatformId: be1a5417-78c4-e115-0552-09f7ddc509c4
• Service: aspnet-core
• Sub-service: aspnetcore-signalr

Related Issues

[wadepickett]

Thanks @Tragetaschen for taking the time to point this out. Very appreciated!

[wadepickett]

🤖 AI Triage Summary

📌 Note to community: This is an automated preliminary analysis to help our documentation team quickly review, determine scope and prioritize this issue. This report is not a resolution and all findings should be verified by a human reviewer before action is taken.

---

This preliminary assessment report was run by: @wadepickett
Date: 2026-01-23
Issue: 36663
Model: GitHub Copilot

---

Issue Analysis: CORS Policy for SignalR Missing DELETE Method Requirement

✅ Issue Validation

Status: Valid and actionable

���� Issue Summary

The SignalR security documentation currently states that CORS policies must allow only HTTP methods GET and POST. However, when using the Long Polling transport, the SignalR TypeScript client also issues DELETE requests to clean up connections on the server. This omission could cause CORS failures for developers using Long Polling transport with cross-origin configurations.

The issue reporter has provided evidence from the ASP.NET Core SignalR client source code (LongPollingTransport.ts) showing the DELETE request is issued during the stop() method.

📁 Potentially Affected Files

These files have been identified as possibly related to this issue and may need review.

File	Path	Lines	Section
Main article	aspnetcore/signalr/security.md	27-31	"Cross-Origin Resource Sharing"
Include (7.0)	aspnetcore/signalr/security/includes/security7.md	13-17	"Cross-Origin Resource Sharing"
Include (6.0)	aspnetcore/signalr/security/includes/security6.md	13-17	"Cross-Origin Resource Sharing"
Code sample	aspnetcore/signalr/security/sample/SignalR_CORS6-8/Program.cs	15	WithMethods() call

📝 Preliminary Change Assessment

The following are initial observations for the documentation team to evaluate—not final decisions.

Potential Documentation Updates

File 1: aspnetcore/signalr/security.md

Location: Line 30
Type: Text modification

Current content (line 30):

* HTTP methods `GET` and `POST` must be allowed.

Suggested direction:

* HTTP methods `GET`, `POST`, and `DELETE` must be allowed. The `DELETE` method is required for the Long Polling transport to clean up connections on the server.

File 2: aspnetcore/signalr/security/includes/security7.md

Location: Line 16
Type: Text modification

Current content (line 16):

* HTTP methods `GET` and `POST` must be allowed.

Suggested direction:

* HTTP methods `GET`, `POST`, and `DELETE` must be allowed. The `DELETE` method is required for the Long Polling transport to clean up connections on the server.

File 3: aspnetcore/signalr/security/includes/security6.md

Location: Line 16
Type: Text modification

Current content (line 16):

* HTTP methods `GET` and `POST` must be allowed.

Suggested direction:

* HTTP methods `GET`, `POST`, and `DELETE` must be allowed. The `DELETE` method is required for the Long Polling transport to clean up connections on the server.

Potential Code Sample Updates

File: aspnetcore/signalr/security/sample/SignalR_CORS6-8/Program.cs
Lines: 15
Change: Modify

Current code:

policy.WithMethods("GET", "POST");

Suggested direction:

policy.WithMethods("GET", "POST", "DELETE");

🎯 Suggested Action Plan

For documentation team review

1. Review and update main article: aspnetcore/signalr/security.md

   • Navigate to: Line 30
   • Section: "Cross-Origin Resource Sharing"
   • Update the required HTTP methods list to include DELETE

2. Review and update include file (7.0): aspnetcore/signalr/security/includes/security7.md

   • Navigate to: Line 16
   • Update the required HTTP methods list to include DELETE

3. Review and update include file (6.0): aspnetcore/signalr/security/includes/security6.md

   • Navigate to: Line 16
   • Update the required HTTP methods list to include DELETE

4. Review and update code sample: aspnetcore/signalr/security/sample/SignalR_CORS6-8/Program.cs

   • Navigate to: Line 15
   • Add "DELETE" to the WithMethods() call

5. Check for older version include files: Verify if security2.1-5.md also needs similar updates for older framework versions.

⚠️ Review Considerations

• Verify this change applies to all supported .NET versions (6.0, 7.0, 8.0, 9.0, 10.0)
• The DELETE requirement is specifically for Long Polling transport - consider clarifying this in the documentation
• WebSocket and Server-Sent Events transports may not require DELETE
• Consider adding a [!NOTE] block to explain when DELETE is needed (Long Polling scenarios)

🔗 References

• Published article: https://learn.microsoft.com/en-us/aspnet/core/signalr/security?view=aspnetcore-10.0
• Source evidence: LongPollingTransport.ts - DELETE request (lines 173-184)
• Content source URL: https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/signalr/security.md