Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Configure IIS Express 8 to enable CORS

I'm writing WCF services that will be used by clients out in the wild so they need to handle cross-origin requests. I have a problem with enabling my development server to accept such requests. Here is the scenario:

  • I'm running the WCF project in an instance of Visual Studio 2012, using IIS Express 8 as the server on a specific port.
  • I'm running the client project in another instance of Visual Studio 2012, also using IIS Express 8 as the server. This project uses AJAX to consume services in the other project.

When I run the client project in IE there is no problem because IE does not send the preflight OPTIONS request. When I run it in Chrome however the preflight OPTIONS request returns a 405 Method Not Allowed and Chrome gives up on the service. Previous versions of Chrome would just ignore the error and continue with the actual POST request (or Get, whatever...) but later versions appear to be pickier.

I've also run into this with a deployed WCF project and solved it by moving the OPTIONSVerbHandler to the top of the Handler Mappings list in IIS.

I should point out that I'm using the most generous web.config settings I can think of to try to allow CORS. For instance I have this in the WCF project's configuration:

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Headers" value="*" />
    <add name="Access-Control-Allow-Methods" value="*" />
    <add name="X-Powered-By" value="*" />
  </customHeaders>
</httpProtocol>

Regardless, any client cross-origin requests to the WCF project running from code fail with the 405 error.

Any help setting up either the WCF project itself or IIS Express 8 to enable CORS?

Thanks!

like image 999
djo.dadof2 Avatar asked Oct 11 '13 16:10

djo.dadof2


3 Answers

You can enable cors for wcf, and it could be quite simple, once you know how.

Elaborating from DavidG response on the more general question "cors on IIS", response which is really near of what is required for a basic solution:

  • First, configure the OPTIONSVerbHandler to execute before .Net handlers.

    1. In IIS console, select "Handler Mappings". (Do this either on server level or site level. On site level it will redefine all the handlers for your site and ignore any change done on server level after that. And of course on server level, this could break other sites if they need their own handling of options verb.)
    2. In Action pane, select "View ordered list...". Seek OPTIONSVerbHandler, and move it up (lots of clicks...).

    You can also do this in web.config by redefining all handlers under <system.webServer><handlers>. (<clear> then <add ...> them back, this is what does the IIS console for you. By the way, there is no need to ask for "read" permission on this handler.)

  • Second, configure custom http headers for your cors needs, such as:

    <system.webServer>
      <httpProtocol>
        <customHeaders>
          <add name="Access-Control-Allow-Origin" value="*"/>
          <add name="Access-Control-Allow-Headers" value="Content-Type"/>
          <add name="Access-Control-Allow-Methods" value="POST,GET,OPTIONS"/>
        </customHeaders>
      </httpProtocol>
    </system.webServer>
    

    This example set them for all responses to all requests on the site/app/directory in which is the web.config. If you want to restrict them to some url, put that in a <location> tag.
    You can also add those custom headers in IIS console.

This is a basic solution since it will send CORS headers even on request which does not require it, maybe opening your application to unexpected usages. But with WCF, it looks like being the simplest one.

With MVC or webapi, we could instead handle OPTIONS verb and cors headers by code (either "manually" or with built-in support available in latest version of webapi).

like image 156
Frédéric Avatar answered Sep 22 '22 19:09

Frédéric


  • as a value is only valid for Access-Control-Allow-Origin. For the others you need to be explicit. For example:

Access-Control-Allow-Methods: GET, PUT, POST, DELETE

or alternatively:

Access-Control-Allow-Methods: PUT, DELETE

because the spec says GET and POST are implied.

like image 38
Brock Allen Avatar answered Sep 22 '22 19:09

Brock Allen


The answer is that the configuration needed to enable WCF to accept CORS preflight messages has nothing to do with the IIS server; rather the WCF project itself needs to be configured to handle the HTTP request with OPTIONS verb.

Long story short: doing this is REALLY HARD. WCF is a jack of all trades when it comes to endpoints so setting it up to do something very specific with one (HTTP) is not advisable, although it can be done. The real solution is to use Web API, which is a master of HTTP and can be set up to do CORS very simply.

like image 34
djo.dadof2 Avatar answered Sep 20 '22 19:09

djo.dadof2