3

i'm trying to allow another host (a local host, like javascript.dev) to make a xhr to this host, it is an IIS7 and if i curl -I it, this is the headers:

HTTP/1.1 200 OK
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Server: Microsoft-IIS/7.0
X-Powered-By: PHP/5.3.28
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS
Access-Control-Max-Age: 1000
Access-Control-Allow-Headers: *
X-Powered-By: ASP.NET
Date: Fri, 20 Jun 2014 12:09:33 GMT

this is the headers for curl -v -X OPTIONS:

* About to connect() to www2.xxxxxxxxxxxx.com.br port 80 (#0)
*   Trying 200.98.xxx.100...
* Connected to www2.xxxxxxxxxxxx.com.br (200.98.xxx.100) port 80 (#0)
> OPTIONS /jobs/xxxxxxx/user/ HTTP/1.1
> User-Agent: curl/7.30.0
> Host: www2.xxxxxxxxxxxx.com.br
> Accept: */*
> 
< HTTP/1.1 200 OK
< Allow: OPTIONS, TRACE, GET, HEAD, POST
* Server Microsoft-IIS/7.0 is not blacklisted
< Server: Microsoft-IIS/7.0
< Public: OPTIONS, TRACE, GET, HEAD, POST
< X-Powered-By: ASP.NET
< Date: Fri, 20 Jun 2014 13:01:25 GMT
< Content-Length: 0

i used php to change the Access-Control-Allow-Origin, but when i do the xhr, with or without jquery, this is the error i'm getting:

XMLHttpRequest cannot load http://www2.xxxxxxxx.com.br/jobs/xxxxxx/user/. 
No 'Access-Control-Allow-Origin' header is present on the requested resource. 
Origin 'http://javascript.dev' is therefore not allowed access.

to document, additional steps i made to solve:

i added code in the answer above to my web.config and get this error:

XMLHttpRequest cannot load http://www2.madeinweb.com.br/jobs/eminhasaude/user. 
Request header field Content-Type is not allowed by Access-Control-Allow-Headers.

because Access-Control-Allow-Headers don't accept wildcards *. to solve:

<add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept" />
Dreanmer
  • 733
  • 2
  • 7
  • 18
  • So when you send `OPTIONS /jobs/xxxxxx/user/` it returns those headers as well? Presumably it does the the same for a `POST` to that address? What appears in the network tab of your browser's debug tools? – Dean Ward Jun 20 '14 at 12:31
  • i added the headers for OPTIONS – Dreanmer Jun 20 '14 at 13:05
  • I think that might be your problem - browsers perform an OPTIONS request before they perform the actual operation. Your OPTIONS does not have `Access-Control-Allow-Origin`. – Dean Ward Jun 20 '14 at 13:08
  • ok, really think this is the problem, but i can handle the response to OPTIONS request with my php application? and if can't, how i can do this in IIS7? – Dreanmer Jun 20 '14 at 13:18

1 Answers1

7

Based upon comments it looks like you're missing the Access-Control-Allow-Origin header when an OPTIONS request is submitted. According to this article it should be a simple case of adding the following code to your PHP page...

<?php
header('Access-Control-Allow-Origin: *');
?>

If that still doesn't work then you should check the IIS handler mapping for PHP (see here) and make sure that OPTIONS is an allowed verb. Hopefully that does the job!

This article also indicates that you could skip modifying the PHP at all and simply add the following to your web.config:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Access-Control-Allow-Origin" value="*" />
      <add name="Access-Control-Allow-Headers" value="*" />
      <add name="Access-Control-Allow-Methods" value="GET, PUT, POST, DELETE, OPTIONS" />
      <add name="Access-Control-Max-Age" value="1000" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

Be aware that this will open up the entire site rather than just one page...

Dean Ward
  • 4,793
  • 1
  • 29
  • 36
  • ok, added this to web config, now the headers on OPTIONS request is: `Access-Control-Allow-Origin: * < Access-Control-Allow-Headers: * < Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS` but im still receiving errors, now this error: `XMLHttpRequest cannot load http://www2.madeinweb.com.br/jobs/eminhasaude/user. Request header field Content-Type is not allowed by Access-Control-Allow-Headers. ` – Dreanmer Jun 20 '14 at 14:02
  • 1
    Looks like `Access-Control-Allow-Headers` doesn't accept wildcards... http://stackoverflow.com/questions/13146892/cors-access-control-allow-headers-wildcard-being-ignored. Try adding just Content-Type instead of the * – Dean Ward Jun 20 '14 at 14:21
  • yeah i solved this as follow: `` – Dreanmer Jun 20 '14 at 14:30
  • Removing headers from php controller and making the above said changes in the web.config helped me. Thanks a ton. – Shrinivas Jul 25 '18 at 10:28