0

I have an asp.net mvc5 (with Angular) website installed in IIS on a Win 2008 R2 Ent server, and everything runs fine while running the site on the server itself.

As soon as we access the site from outside the server, I'm getting CORS related errors :

     Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost/api/init?space=razor_RAGE&environment=razor_RAGE&clariteConfig=E:\razor_RAGE\master\bin\clarite_config.xml. This can be fixed by moving the resource to the same domain or enabling CORS.

I thought the solution was to add the proper headers to the http request :

    'Access-Control-Allow-Origin': 'true'

however it doesn't seem to be solving the CORS issues.

Here's an example of a request I'm making from JavaScript (all good on the server, but will not work outside the server) :

     this.getRazorInitParams = function () {
        var deferred = $q.defer();
        deferred.notify("Getting init parameters...");
        var razorEnvParams = [];
        $http({
            method: 'GET',
            encoding: 'JSON',
            headers: {
                'Access-Control-Allow-Origin': 'true'
            },
            url: 'breeze/Rage/GetRazorEnv'
        }).success(function (data, status, headers, config) {
            razorEnvParams = data;
            deferred.resolve(razorEnvParams);  
        }).error(function (data, status, headers, config) {
            console.log("Error in userContext.js, getRazorInitParams " + status);
        });
        return deferred.promise;
    }

Here's a snipet from the c# api layer :

public class initController : ApiController
{        
    public HttpResponseMessage Get()
    {
        // space, env, dom, cConf vars all defined here..

        string resp = DynAggrClientAPI.initApp( space, env, dom, cConf );

        var response = Request.CreateResponse(HttpStatusCode.OK);
        response.Content = new StringContent(resp, Encoding.UTF8, "application/json");

        return response;
    }
}

I'm searching around for the right solution. Is there anything I'm missing here ?

thanks in advance,

Bob

bob.mazzo
  • 5,183
  • 23
  • 80
  • 149

1 Answers1

1

The value for the header should be either a specific domain, or an asterisk to indicate that CORS request can come from any domain. 

Access-Control-Allow-Origin: 'http://example.org'

or

Access-Control-Allow-Origin: '*'

Also note that you can't "whitelist" multiple domains. It's either one, or all.

If you're going to use so called "complex" requests (i.e. something other than a simple GET or POST request), you also need to set the Access-Control-Allow-Methods field, and if you want to retrieve specific headers, the Access-Control-Allow-Headers as well (although in this case, they won't be needed).

tkers
  • 928
  • 5
  • 18
  • 1
    I would add that this isn't a per-request setting, but rather an IIS setting on the website / server. http://stackoverflow.com/questions/12458444/enabling-cross-origin-resource-sharing-on-iis7 – xDaevax Nov 25 '14 at 14:30
  • Access-Control-Allow-Origin: '*' (needs a quote) does not work. I also cannot find the OPTIONSVerb Handler as mentioned in the IIS handlers post. – bob.mazzo Nov 25 '14 at 19:37
  • Can you verify that the client receives the ACAO header? I'm not too familiar with IIS so there might be something wrong there. The OPTIONS verb is only sent for complex requests, so you should be able to ignore it for this specific use case. EDIT: You should remove the extra headers (the ACAO one) from your AJAX request. They are not required and they cause the request to become "complex". Complex request require some extra headers on the server side (as mentioned in my answer). – tkers Nov 26 '14 at 22:26