CORS Headers appended to HTTP Response not Sent to Browser

Question

I am writing directly to the request headers in an ASP.NET MVC via the HttpContext.Current object and yet these headers are not being sent to the browser... Any idea what could cause this? I ONLY get the headers if I add them via the web.config. This does not work for me as I need to allow multiple domains to Access-Control-Allow-Origin.

I attempted to write the headers directly to HttpContext.Current using this code.

context.Response.AppendHeader("Access-Control-Allow-Origin", origin);
context.Response.Cache.SetCacheability(HttpCacheability.NoCache);
context.Response.ContentType = "text/plain";
context.Response.Write("Hello World " + DateTime.Now.ToString());

I get the hello world but not the headers.

I have also attempted to use Thinktecture.IdentityModel.Http.Cors.WebApi but get the same results, which is nothing. I have checked an rechecked my code to be sure it conforms to the tutorial]1. I have configured the headers in the Web.config and attempted via Thinktecture however I only get the headers when Access-Control-Allow-Origin is in the web.config but I still get an error in Chrome/FF. It seems like the headers are only being sent on the OPTIONS request but I am not certain.

Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8,ga;q=0.6,pt-BR;q=0.4,pt;q=0.2
Access-Control-Request-Headers:accept, origin, content-type
Access-Control-Request-Method:GET
Authorization:Negotiate REDACTED
Cache-Control:max-age=0
Connection:keep-alive
Host:bpapi.domain.com
Origin:http://dev-02
Referer:http://dev-02/_Layouts/PAR/NewParItem.aspx
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31


HTTP/1.1 200 OK
Server: Microsoft-IIS/7.5
Persistent-Auth: false
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: http://dev-02
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
WWW-Authenticate: Negotiate REDACTED
Date: Sat, 06 Apr 2013 00:35:31 GMT
Content-Length: 0

Here is the web.config as a pastebin so as not to clutter up the question. WebDAV is not installed.

public class CorsConfig
{
    public static void RegisterCors(HttpConfiguration httpConfig)
    {
        WebApiCorsConfiguration corsConfig = new WebApiCorsConfiguration();

        corsConfig.RegisterGlobal(httpConfig);

        corsConfig
                .ForResources(new string[] { "Industries", "Projects" })
                .ForOrigins(new string[] { "http://dev-01", "http://dev-02" })
                .AllowAll();
    }
}

Here is the Thinktecture code:

    protected void Application_Start()
    {
        AreaRegistration.RegisterAllAreas();

        WebApiConfig.Register(GlobalConfiguration.Configuration);
        FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
        RouteConfig.RegisterRoutes(RouteTable.Routes);
        BundleConfig.RegisterBundles(BundleTable.Bundles);
        //CorsConfig.RegisterCors(GlobalConfiguration.Configuration);
        RegisterCors(MvcCorsConfiguration.Configuration);
    }
    private void RegisterCors(MvcCorsConfiguration corsConfig)
    {
        corsConfig
            .ForResources(new string[] {"Industries", "Projects" })
            .ForOrigins(new string[] { "http://dev-01", "http://dev-02" })
            .AllowAll();
    }

Update 2013/04/09: Neither context.Response.AppendHeader(...) nor context.Response.AddHeader(...) have any effect. Chrome and FF seem to be OK if they get JSONP regardless of the allow origin header so my project at the very least works. I have also tried <remove name="OPTIONSVerbHandler"/> with no success. I will be deploying the MVC app to a new server to see if it is something localized to the specific machine.

Answer 1

May be, your troubles are due to OPTIONSVerbHandler. See this link for details:
http://eugeneagafonov.com/post/38312919044/iis-options-cors-aspnet-webapi-en