CORS not working with route

Question

I have an issue with an endpoint on my web api. I have a POST method that is not working due to:

Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. The response had HTTP status code 405.

I cannot see why that is not working since I have plenty of methods that are working indeed with the same COSR configuration. The only difference is that this method has a specified route, as you can see below:

// POST: api/Clave
        [EnableCors(origins: "*", headers: "*", methods: "*", SupportsCredentials = true)]
        [Route("{id:int}/clave")]
        [HttpPost]
        public HttpResponseMessage Post(int id, [FromBody]CambioClaveParameters parametros)
        {
            UsuarioModel usuario = SQL.GetUsuario(id);

            if (Hash.CreateMD5(parametros.ViejaClave) != usuario.Clave.ToUpper())
            {
                return Request.CreateResponse(HttpStatusCode.BadRequest);
            }
            else if (Hash.CreateMD5(parametros.ViejaClave) == usuario.Clave.ToUpper())
            {
                SQL.ModificarClaveUsuario(id, Hash.CreateMD5(parametros.NuevaClave));

                return Request.CreateResponse(HttpStatusCode.OK);
            }
            else
            {
                return Request.CreateResponse(HttpStatusCode.InternalServerError);
            }
        }

Any Ideas of why this is happening?.

Thanks!.

Answer 1

Hope you are doing good ! you can use below code that will allow origin access on each request response.

 protected void Application_BeginRequest(object sender, EventArgs e)
        {
   HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", *");}

for more reference you can get help from below link. http://enable-cors.org/server_aspnet.html

Answer 2

Based upon the word "preflight" in your message, this is an OPTIONS verb issue. If you examine the requests and responses, I believe you'll see that the request directly before your POST is an OPTIONS request. The OPTIONS request is asking the server what methods are allowed to be called. If you haven't enabled an OPTIONS response, or your OPTIONS response doesn't include the POST method for that Uri, you'll get this response.

Here's a link describing the concept (see section Preflight CORS Requests) https://msdn.microsoft.com/en-us/magazine/dn532203.aspx

To account for this bypassing everything OPTIONS is designed to do, you can add code similar to this (don't be a cargo-cult programmer) to a new or existing module's BeginRequest method:

if (context.Request.HttpMethod.ToLower() == "options")
{
   var origin = context.Request.Headers["origin"];
   context.Response.StatusCode = 200;
   context.Response.AddHeader("Access-Control-Allow-Origin", origin);
   context.Response.AddHeader("Access-Control-Allow-Credentials", "true");
   context.Response.AddHeader("Access-Control-Allow-Methods", "POST, GET, PUT, DELETE, OPTIONS");
   context.Response.End();
}

Ideally, though, you would want to programmatically determine whether the request is a valid, and if so, then output a response customized for what is actually allowed.