HTTP 500 if request to a CORS-enabled endpoint is requested without an origin header

[martincostello]

Describe the bug

If an HTTP request is made to a CORS-enabled endpoint where an origin HTTP request header is not specified, the request fails with an HTTP 500 error.

The exception in the logs is:

[2019-04-13 14:40:04Z] fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
      An unhandled exception has occurred while executing the request.
System.InvalidOperationException: Endpoint MartinCostello.Api.Controllers.TimeController.Get (API) contains CORS metadata, but a middleware was not found that supports CORS.
Configure your application startup by adding app.UseCors() inside the call to Configure(..) in the application startup code.
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.ThrowMissingCorsMiddlewareException(Endpoint endpoint)
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware.Invoke(HttpContext httpContext)
   at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.HttpOverrides.HttpMethodOverrideMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

However, app.Cors() has been added to the application before app.UseEndpoints(...).

This appears to have been introduced by #9181.

If the request has no origin request header, then the CORS middleware is skipped:

https://github.com/aspnet/AspNetCore/blob/b93bc433db66175d2b07b128ec9990f7a4dd7e1b/src/Middleware/CORS/src/Infrastructure/CorsMiddleware.cs#L122-L125

However, the endpoint middleware finds the CORS metadata on the endpoint being invoked, and checks whether the CORS middleware was invoked (which it was, but was skipped as not needed) by looking for a key in the HttpContext's items. The item isn't present, so an exception is thrown:

https://github.com/aspnet/AspNetCore/blob/84da613d2c03b6f1c0fa3c01828923ec3415d525/src/Http/Routing/src/EndpointMiddleware.cs#L51-L55

The key being tested by the endpoint middleware is only added if the origin header is present in the request, which is here:

https://github.com/aspnet/AspNetCore/blob/b93bc433db66175d2b07b128ec9990f7a4dd7e1b/src/Middleware/CORS/src/Infrastructure/CorsMiddleware.cs#L140-L141

It would appear that two possible fixes are either:

1. The CORS middleware always adds the "I've run" value to HttpContext.Items, or:
2. The endpoint middleware also checks for the origin header if CORS metadata is present on the endpoint, and only throws the exception for the non-invocation of the CORS middleware if it is present in the HTTP request.

To Reproduce

1. Configure an ASP.NET Core MVC application to use CORS.
2. Add the [EnableCors(...)] attribute to a controller method.
3. Launch the application.
4. Perform a standard HTTP request (e.g. with cURL) to the endpoint.

Expected behavior

The request succeeds if no origin HTTP request header is provided.

Additional context

.NET Core SDK (reflecting any global.json):
 Version:   3.0.100-preview4-011204
 Commit:    621575bab1

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.17763
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\3.0.100-preview4-011204\

Host (useful for support):
  Version: 3.0.0-preview4-27612-09
  Commit:  64e9c3e1cd

[martincostello]

Issue was found as part of making this commit to a simple sandbox app: martincostello/api@a40a99f

[davidfowl]

cc @pranavkm