Enable CORS in Sharepoint 2013

Question

I need to make CORS from/to various Sharepoint domains, and of course handle the OPTIONS preflight request. After a lot of research I found that this solution is (almost) the best for my needs. Modify global.asax let you handle more than one domain with credentials passed, and the OPTIONS preflight request.

The bad side is that after applying it as suggested, you can't login in Sharepoint Designer anymore.

I modified global.asax as below, CORS are ok, but Sharepoint Designer no.

public void Application_BeginRequest(object sender, EventArgs e) 
{
string httpOrigin = Request.Params["HTTP_ORIGIN"];
if (httpOrigin != null) 
{   
    HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", httpOrigin);
    HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
    HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-RequestDigest");
    HttpContext.Current.Response.AddHeader("Access-Control-Allow-Credentials", "true");

    if (Request.HttpMethod == "OPTIONS")
    {
        HttpContext.Current.Response.StatusCode = 200;
        var httpApplication = sender as HttpApplication;
        httpApplication.CompleteRequest();
    }
}    
}

I read with Fiddler the request that Sharepoint Designer does and there's not the header 'Origin' so I don't know where's it fails. When I try to login in Sharepoint Designer, I get always 401 as response.

Is there someone that knows how to resolve? Thanks

Answer 1

You can change your condition as below. It works well.

    protected void Application_BeginRequest(Object sender, EventArgs e)
    {

        HttpContext InRequest = HttpContext.Current;

        string OldPath = InRequest.Request.Path.ToLower();

        if (OldPath.Contains("myservice.svc"))
        {

            string httpOrigin = Request.Params["HTTP_ORIGIN"];
            HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", httpOrigin);
            HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods",
                "GET, POST, PUT, DELETE, OPTIONS");
            HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers",
                "Origin, X-Requested-With, Content-Type, Accept, X-Token");
            HttpContext.Current.Response.AddHeader("Access-Control-Allow-Credentials", "true");

            if (Request.HttpMethod == "OPTIONS")
            {
                HttpContext.Current.Response.StatusCode = 200;
                var httpApplication = sender as HttpApplication;
                httpApplication.CompleteRequest();
            }
        }

    }

Answer 2

Have you tried changing web.config at your IIS' root?

<?xml version="1.0" encoding="utf-8"?>
<configuration>
 <system.webServer>
   <httpProtocol>
    <customHeaders>
      <add name="Access-Control-Allow-Origin" value="*" />
    </customHeaders>
   </httpProtocol>
 </system.webServer>
</configuration>

http://enable-cors.org/server_iis7.html

Answer 3

It's indeed web config modifications but to get this to work i had to use SPWebConfigModification class

$webApp = Get-SPWebApplication http://myurl/
$modification = New-Object Microsoft.SharePoint.Administration.SPWebConfigModification
$modification.Path = "configuration/system.webServer/httpProtocol/customHeaders"
$modification.Name = "add[@name=`"Access-Control-Allow-Origin`"][@value=`"http://theirurl`"]"
$modification.Value = "<add name=`"Access-Control-Allow-Origin`" value=`"http://theirurl`" />"
$modification.Owner = “Administrator”
$modification.Sequence = 0
$modification.Type = 0

if (($webapp.WebConfigModifications | where-object { $_.Name -eq $modification.Name } | measure).Count -eq 0) {
    Write-Host "Adding " $modification.Name
    $webApp.WebConfigModifications.Add($modification)    
}
else {
    Write-Host $modification.Name already added
}
$webApp.Update()
$webApp.WebConfigModifications
$webApp.Parent.ApplyWebConfigModifications()