enabling cross-origin resource sharing on IIS7

Question

I recently ran into with posting Javascript requests to another domain. By default XHR posting to other domains is not allowed.

Following the instructions from http://enable-cors.org/, I enabled this on the other domain.

<?xml version="1.0" encoding="utf-8"?> <configuration>  <system.webServer>   <httpProtocol>     <customHeaders>       <add name="Access-Control-Allow-Origin" value="*" />       <add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />       <add name="Access-Control-Allow-Headers" value="Content-Type" />     </customHeaders>   </httpProtocol>  </system.webServer> </configuration> 

Everything works fine now, however it is still return a 405 response before sending back the working 200 response.

Request URL:http://testapi.nottherealsite.com/api/Reporting/RunReport Request Method:OPTIONS Status Code:405 Method Not Allowed Request Headersview source Accept:*/* Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3 Accept-Encoding:gzip,deflate,sdch Accept-Language:en-GB,en-US;q=0.8,en;q=0.6 Access-Control-Request-Headers:origin, content-type, accept Access-Control-Request-Method:POST Connection:keep-alive Host:testapi.nottherealsite.com Origin:http://test.nottherealsite.com Referer:http://test.nottherealsite.com/Reporting User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 Response Headersview source Access-Control-Allow-Headers:Content-Type Access-Control-Allow-Methods:GET,PUT,POST,DELETE,OPTIONS Access-Control-Allow-Origin:* Allow:POST Cache-Control:private Content-Length:1565 Content-Type:text/html; charset=utf-8 Date:Tue, 18 Sep 2012 14:26:06 GMT Server:Microsoft-IIS/7.5 X-AspNet-Version:4.0.30319 X-Powered-By:ASP.NET 

Update: 3/02/2014

There is a recently updated article in MSDN magazine. Detailing CORS Support in ASP.NET Web API 2.

http://msdn.microsoft.com/en-us/magazine/dn532203.aspx

Answer 1

It is likely a case of IIS 7 'handling' the HTTP OPTIONS response instead of your application specifying it. To determine this, in IIS7,

1. Go to your site's Handler Mappings.

2. Scroll down to 'OPTIONSVerbHandler'.

3. Change the 'ProtocolSupportModule' to 'IsapiHandler'

4. Set the executable: %windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll

Now, your config entries above should kick in when an HTTP OPTIONS verb is sent.

Alternatively you can respond to the HTTP OPTIONS verb in your BeginRequest method.

    protected void Application_BeginRequest(object sender,EventArgs e)     {         HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");          if(HttpContext.Current.Request.HttpMethod == "OPTIONS")         {             //These headers are handling the "pre-flight" OPTIONS call sent by the browser             HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");             HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept");             HttpContext.Current.Response.AddHeader("Access-Control-Max-Age", "1728000" );             HttpContext.Current.Response.End();         }      } 

Answer 2

I can't post comments so I have to put this in a separate answer, but it's related to the accepted answer by Shah.

I initially followed Shahs answer (thank you!) by re configuring the OPTIONSVerbHandler in IIS, but my settings were restored when I redeployed my application.

I ended up removing the OPTIONSVerbHandler in my Web.config instead.

<handlers>     <remove name="OPTIONSVerbHandler"/> </handlers>