I've followed the usual steps for enabling cors in web.api, but get a 404 response to an OPTIONS request in Chrome and in Firefox I get Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.mydomain.com/api/1/widgets. This can be fixed by moving the resource to the same domain or enabling CORS.
In my WebApiConfig.cs I've got:
var enableCorsAttribute = new EnableCorsAttribute("*", "*", "*");
config.EnableCors(enableCorsAttribute);
I've also tried adding EnableCors
attributes to the specific controllers or actions and all have the same result.
I've also added the following to my web.config:
<modules runAllManagedModulesForAllRequests="true">
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAV" />
...
Here is my javascript:
$.ajax({
url: 'https://api.mydomain.com/api/1/widgets',
type: "GET",
headers: {
Accept: "text/html; charset=utf-8",
Authorization: 'Bearer ???????????????????????????????'
}
});
But the response is 404 in Chrome and "Cross-Origin request Blocked" in Firefox.
Here are the details of the failing request from my chrome developer toolbar:
Remote Address:??.???.???.???:443
Request URL:https://api.mydomain.com/api/1/widgets
Request Method:OPTIONS
Status Code:404 Not Found
Request
OPTIONS /api/1/widgets HTTP/1.1
Host: api.mydomain.com
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://myotherdomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Access-Control-Request-Headers: accept, authorization
Accept: */*
Referer: http://myotherdomain.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en;q=0.8,en-US;q=0.6
Response
HTTP/1.1 404 Not Found
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Access-Control-Allow-Origin: http://myotherdomain.com
Access-Control-Allow-Credentials: true
X-AspNetMvc-Version: 5.0
X-UA-Compatible: IE=edge,chrome=1
X-Frame-Options: SAMEORIGIN
Cache-conrol: no-store
Date: Thu, 28 Aug 2014 16:00:28 GMT
Content-Length: 341
What am I missing?
First, we need to enable CORS in WebAPI, then we call the service from other application AJAX request. In order to enable CORS, we need to install the JSONP package from NuGet (see Figure3). After adding Jsonp package, we need to add the following code-snippet in App_Start\WebApiConfig. cs file.
Cross-origin resource sharing (CORS) is a browser security feature that restricts cross-origin HTTP requests that are initiated from scripts running in the browser. If your REST API's resources receive non-simple cross-origin HTTP requests, you need to enable CORS support.
This article shows how to enable CORS in an ASP.NET Core app. Browser security prevents a web page from making requests to a different domain than the one that served the web page. This restriction is called the same-origin policy.
In case anyone else has the same problem, this issue was due to the fact that we were using Microsoft's excellent UrlScan in IIS.
UrlScan has an AllowVerbs section and a DenyVerbs section. Ensure that the options verb is allowed.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With