Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CORS support for PUT and DELETE with ASP.NET Web API

I am working with the final version of ASP.NET Web API to implement a JavaScript-friendly API. Per various tutorials, I have enabled CORS in my web.config:

<system.webServer>  <httpProtocol>   <customHeaders>     <add name="Access-Control-Allow-Origin" value="*" />     <add name="Access-Control-Allow-Headers" value="Content-Type" />   </customHeaders>  </httpProtocol> </system.webServer> 

With the above, cross-domain GET and POST requests work fine, but PUT and DELETE requests both fail.

In Chrome:

Method PUT is not allowed by Access-Control-Allow-Methods.

Method DELETE is not allowed by Access-Control-Allow-Methods.

Is there something additional required to get PUT and DELETE verbs working cross-domain?

like image 243
Nathan Taylor Avatar asked Sep 20 '12 21:09

Nathan Taylor


People also ask

What is use of CORS in asp net web API?

CORS is a W3C standard that allows you to get away from the same origin policy adopted by the browsers to restrict access from one domain to resources belonging to another domain. You can enable CORS for your Web API using the respective Web API package (depending on the version of Web API in use) or OWIN middleware.


2 Answers

It looks like adding another custom header sorted it out:

<system.webServer>  <httpProtocol>   <customHeaders>     <add name="Access-Control-Allow-Origin" value="*" />     <add name="Access-Control-Allow-Headers" value="Content-Type" />     <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />   </customHeaders>  </httpProtocol> </system.webServer> 
like image 168
Nathan Taylor Avatar answered Sep 20 '22 18:09

Nathan Taylor


Also, in addition to Nathan answer, make sure you disabled WebDAV IIS module and set runAllManagedModulesForAllRequests="true" setting in the web.config:

<system.webServer>   <modules runAllManagedModulesForAllRequests="true">     <remove name="WebDAVModule"/>   </modules>   <handlers>     <remove name="WebDAV" />   </handlers> </system.webServer> 

Without this, preflight CORS requests (which are used for PUT, DELETE methods and send additional OPTIONS request) will not work.

like image 24
whyleee Avatar answered Sep 19 '22 18:09

whyleee