Menu
I recently ran into with posting Javascript requests to another domain. By default XHR posting to other domains is not allowed.
Following the instructions from http://enable-cors.org/, I enabled this on the other domain.
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.webServer> <httpProtocol> <customHeaders> <add name="Access-Control-Allow-Origin" value="*" /> <add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" /> <add name="Access-Control-Allow-Headers" value="Content-Type" /> </customHeaders> </httpProtocol> </system.webServer> </configuration> 
Everything works fine now, however it is still return a 405 response before sending back the working 200 response.
Request URL:http://testapi.nottherealsite.com/api/Reporting/RunReport Request Method:OPTIONS Status Code:405 Method Not Allowed Request Headersview source Accept:*/* Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3 Accept-Encoding:gzip,deflate,sdch Accept-Language:en-GB,en-US;q=0.8,en;q=0.6 Access-Control-Request-Headers:origin, content-type, accept Access-Control-Request-Method:POST Connection:keep-alive Host:testapi.nottherealsite.com Origin:http://test.nottherealsite.com Referer:http://test.nottherealsite.com/Reporting User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 Response Headersview source Access-Control-Allow-Headers:Content-Type Access-Control-Allow-Methods:GET,PUT,POST,DELETE,OPTIONS Access-Control-Allow-Origin:* Allow:POST Cache-Control:private Content-Length:1565 Content-Type:text/html; charset=utf-8 Date:Tue, 18 Sep 2012 14:26:06 GMT Server:Microsoft-IIS/7.5 X-AspNet-Version:4.0.30319 X-Powered-By:ASP.NET Update: 3/02/2014
There is a recently updated article in MSDN magazine. Detailing CORS Support in ASP.NET Web API 2.
http://msdn.microsoft.com/en-us/magazine/dn532203.aspx
346
Configure IIS 10 to be CORS enabledRight click Defatult Web Site > Add Virtual Directory; In Add Virtual Directory dialog box, Name Alias as CORS_Enable; Choose a Physical path: sya, C:\inetpub\wwwroot. Click OK.
You need just need your site to send the HTTP header Access-Control-Allow-Origin with the value * to "turn off" CORs (well allow any origin).
Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.
It is likely a case of IIS 7 'handling' the HTTP OPTIONS response instead of your application specifying it. To determine this, in IIS7,
Go to your site's Handler Mappings.
Scroll down to 'OPTIONSVerbHandler'.
Change the 'ProtocolSupportModule' to 'IsapiHandler'
Set the executable: %windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll
Now, your config entries above should kick in when an HTTP OPTIONS verb is sent.
Alternatively you can respond to the HTTP OPTIONS verb in your BeginRequest method.
protected void Application_BeginRequest(object sender,EventArgs e) { HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*"); if(HttpContext.Current.Request.HttpMethod == "OPTIONS") { //These headers are handling the "pre-flight" OPTIONS call sent by the browser HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"); HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept"); HttpContext.Current.Response.AddHeader("Access-Control-Max-Age", "1728000" ); HttpContext.Current.Response.End(); } } I can't post comments so I have to put this in a separate answer, but it's related to the accepted answer by Shah.
I initially followed Shahs answer (thank you!) by re configuring the OPTIONSVerbHandler in IIS, but my settings were restored when I redeployed my application.
I ended up removing the OPTIONSVerbHandler in my Web.config instead.
<handlers> <remove name="OPTIONSVerbHandler"/> </handlers> If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
