CORS No 'Access-Control-Allow-Origin' header in production Angular/Netcore app

I am trying to learn the deployemnt part of an application and I get this error:

Access to XMLHttpRequest at 'https://somerealurl/MsDeploy.axd?site=x-001-site1/auth/register' from origin 'http://someurl' has been blocked by CORS policy: 
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Website was deployed on sharkaspnet

Here is the CORS that I have for development but was still left in the code:

public static IServiceCollection CorsServicesExtensions(this IServiceCollection services)
    {
        services.AddCors(options =>
        {
            options.AddPolicy("CorsPolicy",
                builder => builder
                .AllowAnyOrigin()
                .AllowAnyMethod()
                .AllowAnyHeader()
                );

            options.AddPolicy("signalr",
                builder => builder
                .AllowAnyMethod()
                .AllowAnyHeader()
                .AllowCredentials()
                .SetIsOriginAllowed(hostName => true));
        });

        return services;
    }

I just use the names inside controllers. I tried to add app.UseCors("") but no change.

Do I need to do something on the hosting website? Or change these CORS settings somehow to fit the production?

I also added in the angular the header with the request

register(model: any) {
  const httpOptions = {
    headers: new HttpHeaders({
      'Access-Control-Allow-Origin': '*',
    })    
  };
  return this.http.post(`${this.baseUrl}${ApiPaths.register}`, model, httpOptions)
}

If you need more info please specify I don't know what could I show more. I would prefer to learn how is done in production not just enable everything and thats all.

So as per DFSFOT comment I added this info:

I used just app.UseCors("*") still nothing changed

This is the Preflight request:

General

Request URL: https://someurl/MsDeploy.axd?site=sitename-001-site1/auth/register
Request Method: OPTIONS
Status Code: 401 
Remote Address: 199.102.48.16:8172
Referrer Policy: strict-origin-when-cross-origin

Response Headers

content-length: 0
date: Thu, 05 May 2022 15:21:05 GMT
server: Microsoft-IIS/10.0
www-authenticate: Basic realm ="WebManagementService"
www-authenticate: Basic realm="win8016.site4now.net"

Request Headers

:authority: win8016.site4now.net:8172
:method: OPTIONS
:path: /MsDeploy.axd?site=somename-001-site1/auth/register
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,ro-RO;q=0.8,ro;q=0.7
access-control-request-headers: access-control-allow-origin,content-type
access-control-request-method: POST
origin: http://somename-001-site1.itempurl.com
referer: http://somename-001-site1.itempurl.com/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

Then comes the CORS

General

Request URL: https://win8016.site4now.net:8172/MsDeploy.axd?site=somename-001-site1/auth/register
Referrer Policy: strict-origin-when-cross-origin

Request Headers

Provisional headers are shown
Learn more
Accept: application/json, text/plain, */*
Access-Control-Allow-Origin: *
Content-Type: application/json
Referer: http://somename-001-site1.itempurl.com/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

So after all this painful copy paste, I am gonna try to explain what I understood from your comment.

Watching at the Preflight OPTIONS Request Headers I am noticing this access-control-request-headers: access-control-allow-origin,content-type and this I need to allow both in the Program.cs, like in app.UseCors ? I am very confused sorry, this is actually first time deploying with netcore, but if I don't ask I don't learn.

Edit per second comment:

builder.Services.CorsServicesExtensions();
builder.Services.DatabaseContextExtensions(builder.Configuration);
builder.Services.ApplicationExtensions(builder.Configuration);
builder.Services.AuthenticationExtentions(builder.Configuration);

var app = builder.Build();


if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}

app.Use(async (context, next) =>
{
    await next();

    if (context.Response.StatusCode == 404 && !Path.HasExtension(context.Request.Path.Value))
    {
        context.Request.Path = "/index.html";
        await next();
    }
});

app.UseDefaultFiles();
app.UseStaticFiles();

app.UseExceptionHandler(builder =>
{
    builder.Run(async context =>
    {
        context.Response.StatusCode = (int)HttpStatusCode.InternalServerError;

        var error = context.Features.Get<IExceptionHandlerFeature>();
        if (error != null)
        {
            context.Response.AddApplicationError(error.Error.Message);
            await context.Response.WriteAsync(error.Error.Message);
        }
    });
});

app.UseRouting();
//app.UseHttpsRedirection();  


app.UseCors("DeployCors");

app.UseAuthentication();
app.UseAuthorization();

app.UseEndpoints(endpoints =>
{
    app.MapControllers();
    endpoints.MapHub<ChatHub>("chathub");
});

app.Run();

Core services extentions contain:

       public static IServiceCollection CorsServicesExtensions(this IServiceCollection services)
    {
        services.AddCors(options =>
        {
            options.AddPolicy("CorsPolicy",
                builder => builder
                .AllowAnyOrigin()
                .AllowAnyMethod()
                .AllowAnyHeader()
                );

            options.AddPolicy("DeployCors", policy =>
            {
                policy
                    .AllowAnyOrigin()
                            .AllowAnyMethod()
                .AllowAnyHeader();
            });

            options.AddPolicy("signalr",
                builder => builder
                .AllowAnyMethod()
                .AllowAnyHeader()
                .AllowCredentials()
                .SetIsOriginAllowed(hostName => true));
        });

        return services;
    }

Well DeployCors doesn't look any special now, but I tried yesterday a bunch of things that didn't work and here I am left with it. I've learnt that app.UseCors needs to be between routing and authentication so today I gotta try again all the different things once more again. I tried to allow the specific website url, I changed the settings around, I checked the order I add the options

launchSettings.json

{
  "profiles": {
    "API": {
      "commandName": "Project",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      },
      "applicationUrl": "https://localhost:63645;http://localhost:63646"
    }
  }
}
How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum