6

All,

I have a really simple Web API 2 project that I'm working on. For some reason I cannot get CORS to work properly unless I put it in the web.config file. I followed the instructions on the MSDN article and this ASP.NET article, but I must be missing something.

Global.asax.cs

protected void Application_Start()
{
    WebApiConfig.Register(GlobalConfiguration.Configuration);
}

WebApiConfig.cs

public static void Register(HttpConfiguration config)
{
    config.EnableCors(new EnableCorsAttribute("*","*","*"));

    config.MapHttpAttributeRoutes();
}

JavaScript

    $.ajax({
        url: '//myapidomain.com/buildings'
    }).done(function (data) {
        var theList     = $('.buildings'),
            theListHTML = "",
            response    = JSON.parse(data);

        $.each(response.Buildings.Data, function () {
            theListHTML += '<li>' + this.Description + '</li>';
        });
        theList.html(theListHTML);
    });

I've looked at just about every single Stack Overflow (such as this one) and MSDN forum post (like this one), and from what I can tell, this should be working. The app is hosted on an IIS 8 server running 4.0.

Update

It appears to be something with the request itself (or rather IIS configuration). If I send the request over HTTP, then it fails (no access-control headers get sent back). However, if I request it over HTTPS, everything works fine.

Solution

Our hosting environment was intercepting the non-HTTPS requests and forcing them to HTTPS. When it does this it returns a 304 which jQuery's method doesn't know how to handle. The solution is either to just always make the request over HTTPS (preferred) OR to handle this situation yourself/find an alternative library/plugin that handles this scenario.

Community
  • 1
  • 1
Joel Kinzel
  • 969
  • 2
  • 7
  • 19
  • Could you link that MSDN article? – Jasen Jun 22 '15 at 18:05
  • @Jasen - I've updated the original posting with links to the articles and other posts I've read to try and trouble shoot – Joel Kinzel Jun 22 '15 at 18:40
  • What do the network headers look like when it fails? – Jasen Jun 22 '15 at 19:16
  • @Jasen - Chrome network console has them listed as 302, with errors "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '[mydomain]' is therefore not allowed access." – Joel Kinzel Jun 22 '15 at 19:53
  • Have you tried the `crossDomain: true` option on your `.ajax()` request? – Jasen Jun 22 '15 at 20:01
  • @Jasen - Yup, doesn't change the errors at all – Joel Kinzel Jun 22 '15 at 21:07
  • Did you run your client page from a website? Or opening HTML file directly (the error was saying this)? – hazjack Jun 23 '15 at 03:32
  • @haz - I just have a simple HTML file on a different domain that makes an AJAX call (above) to my API. The errors are appearing my browser's console. I'm not really clear on what your question was? – Joel Kinzel Jun 23 '15 at 13:19
  • I mean sometime we open the file locally (not via http://domain/file.html, or something similarly). In your context, IMHO it should work. – hazjack Jun 24 '15 at 03:05
  • What happen if you update url to include schema? url: 'https://myapidomain.com/buildings' – hazjack Jun 24 '15 at 03:46
  • @haz - It appears it could be an issue with the IIS server. It will serve over HTTPS but not over HTTP. – Joel Kinzel Jun 24 '15 at 14:27
  • Can you compare the request being made (perhaps the http one doesn't include any headers)? How do you know this reaches IIS at all. It reads as if the browser is blocking it. Can you show a fiddler trace of both requests going out? – Yishai Galatzer Jun 24 '15 at 14:38
  • @YishaiGalatzer - IIS is returning a 302 (object moved) when receiving an HTTP request in an attempt to move the request to HTTPS. Our organization has transitioned to using HTTPS for all requests. The result is that request comes back, but the browser never actually makes the second request to the HTTPS resource. – Joel Kinzel Jun 24 '15 at 19:17
  • that makes sense. Basically IIS handles the request before it reaches webapi so it has no chance to handle the CORS request. – Yishai Galatzer Jun 25 '15 at 03:38

1 Answers1

0

Solution

Our hosting environment was intercepting the non-HTTPS requests and forcing them to HTTPS. When it does this it returns a 304 which jQuery's method doesn't know how to handle. The solution is either to just always make the request over HTTPS (preferred) OR to handle this situation yourself/find an alternative library/plugin that handles this scenario.

Joel Kinzel
  • 969
  • 2
  • 7
  • 19