8

I've followed the usual steps for enabling cors in web.api, but get a 404 response to an OPTIONS request in Chrome and in Firefox I get Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.mydomain.com/api/1/widgets. This can be fixed by moving the resource to the same domain or enabling CORS.

In my WebApiConfig.cs I've got:

var enableCorsAttribute = new EnableCorsAttribute("*", "*", "*");
config.EnableCors(enableCorsAttribute);

I've also tried adding EnableCors attributes to the specific controllers or actions and all have the same result.

I've also added the following to my web.config:

<modules runAllManagedModulesForAllRequests="true">
  <remove name="WebDAVModule" />
</modules>
<handlers>
    <remove name="WebDAV" />
...

Here is my javascript:

$.ajax({
    url: 'https://api.mydomain.com/api/1/widgets',
    type: "GET",
    headers: {
        Accept: "text/html; charset=utf-8",
        Authorization: 'Bearer ???????????????????????????????'
            }
        });

But the response is 404 in Chrome and "Cross-Origin request Blocked" in Firefox.

Here are the details of the failing request from my chrome developer toolbar:

Remote Address:??.???.???.???:443
Request URL:https://api.mydomain.com/api/1/widgets
Request Method:OPTIONS
Status Code:404 Not Found

Request

OPTIONS /api/1/widgets HTTP/1.1
Host: api.mydomain.com
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://myotherdomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Access-Control-Request-Headers: accept, authorization
Accept: */*
Referer: http://myotherdomain.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en;q=0.8,en-US;q=0.6

Response

HTTP/1.1 404 Not Found
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Access-Control-Allow-Origin: http://myotherdomain.com
Access-Control-Allow-Credentials: true
X-AspNetMvc-Version: 5.0
X-UA-Compatible: IE=edge,chrome=1
X-Frame-Options: SAMEORIGIN
Cache-conrol: no-store
Date: Thu, 28 Aug 2014 16:00:28 GMT
Content-Length: 341

What am I missing?

Andy
  • 7,646
  • 8
  • 46
  • 69

2 Answers2

10

In case anyone else has the same problem, this issue was due to the fact that we were using Microsoft's excellent UrlScan in IIS.

UrlScan has an AllowVerbs section and a DenyVerbs section. Ensure that the options verb is allowed.

techvice
  • 1,315
  • 1
  • 12
  • 24
Andy
  • 7,646
  • 8
  • 46
  • 69
  • 3
    Thanks for the hint! In my case, I had configured my routes using `MapHttpRoute` and the `OPTION` verb was not allowed because of a `System.Web.Http.Routing.HttpMethodConstraint`. – rockariotphobia Aug 02 '16 at 21:42
  • +5 this have taken my whole day, finally catch it!. – ibubi Mar 09 '17 at 14:21
0
public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        var corsAttr = new EnableCorsAttribute("http://localhost:3000", "*", "*");
        config.EnableCors(corsAttr);

        config.Routes.MapHttpRoute("DefaultApiWithId", "Api/{controller}/{id}", new { id = RouteParameter.Optional }, new { id = new GuidConstraint() });
        config.Routes.MapHttpRoute("DefaultApiWithAction", "Api/{controller}/{action}");
        config.Routes.MapHttpRoute("DefaultApiGet", "Api/{controller}", new { action = "Get" }, new { httpMethod = new HttpMethodConstraint(HttpMethod.Get) });
        config.Routes.MapHttpRoute("DefaultApiPost", "Api/{controller}", new { action = "Post" }, new { httpMethod = new HttpMethodConstraint(HttpMethod.Post) });
        config.Routes.MapHttpRoute("DefaultApiOptions", "Api/{controller}", new { action = "Options" }, new { httpMethod = new HttpMethodConstraint(HttpMethod.Options) });
    }
}

The last line can solve the issue for .Net WebApi

Serhat Türkman
  • 373
  • 2
  • 11