1

Enabling Cors on WebAPI

I have this set in WebApiConfig.cs

config.EnableCors();

and this is how my attribute is setup for my controller method:

[EnableCors("http://dev.example.com,http://personal.example.com,http://www.example.com", // Origin
                    "Accept, Origin, Content-Type, Options",                       // Request headers
                    "POST",                                                        // HTTP methods
                    PreflightMaxAge = 600                                          // Preflight cache duration
        )]

But I still get the error: "The 'Access-Control-Allow-Origin' header contains multiple values."

What else do I need to do to prevent this? We must allow from all three domains. but the first 2 are sub-domains of the last one.

MB34
  • 4,210
  • 12
  • 59
  • 110

1 Answers1

2

do you have any options set into your web.config file for cors ? i.e something like <add name="Access-Control-Allow-Origin" value="*"/>

if yes make sure to remove that, and control the cors through the code only.

Edit: well, that means that you always add the header to your response, no matter which controller the request hits, and in case the request hits the controller with the EnableCors attribute it will add another header. If you removed the one in the Application_BeginRequest() it should work, however that means that you need to decorate all other controllers with EnableCors attribute, which maybe acceptable in your case, otherwise, you need to add a DelegateHandler where you can check the request and set the cors depending on the requested controller. have a look at this http://georgedurzi.com/implementing-cross-browser-cors-support-for-asp-net-web-api/ it may help start with DelegateHandlers. Hope that helps.

Omar.Alani
  • 4,050
  • 2
  • 20
  • 31
  • I didn't have that but I do have `HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");` in the `Application_BeginRequest()` in Global.asax.cs. – MB34 Oct 22 '14 at 14:12
  • Omar.Alani is there anything else I need to do here? I only want the one controller action to be CORS enabled. – MB34 Oct 30 '14 at 21:20
  • what about all other actions, they want them to be disabled ? – Omar.Alani Oct 30 '14 at 22:22
  • have you checked this article ? http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api . they enable cors for a specific controller or specific action. – Omar.Alani Oct 30 '14 at 22:49
  • `what about all other actions` we only want this one. The app is actually for a different purpose but some functionality in this app is needed for another purpose and we are going to expose that functionality to our other apps. Since all my allows are on the same domain, i.e www.domain.com, sub.domain.com, othersub.domain.com, can I just use a single origin? – MB34 Oct 31 '14 at 14:18
  • The article you pointed out by George Durzi is rather old and I have seen the other one on asp.net. I am still having issues. I removed the AddHeader call from the Application_BeginRequest() function and have my attribute set correctly but I still get `No 'Access-Control-Allow-Origin' header is present on the requested resource.` I also removed the customHeaders from the Web.config because it doesn't support multiple origins. – MB34 Nov 10 '14 at 21:28
  • As I said, that article is quite old and I'm using MVC4 with WebAPI 2. I'm not sure it'll work. – MB34 Nov 24 '14 at 22:43
  • MVC4 ! what happens for example when you use a single domain not 3 ? will that make any difference ? – Omar.Alani Nov 24 '14 at 23:07