How to allow CORS for ASP.NET WebForms endpoint?

Question

I am trying to add some [WebMethod] annotated endpoint functions to a Webforms style web app (.aspx and .asmx).

I'd like to annotate those endpoints with [EnableCors] and thereby get all the good ajax-preflight functionality.

VS2013 accepts the annotation, but still the endpoints don't play nice with CORS. (They work fine when used same-origin but not cross-origin).

I can't even get them to function cross-origin with the down and dirty

HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Origin", "*");

approach -- my browsers reject the responses, and the cross-origin response headers don't appear.

How can I get CORS functionality in these [WebMethod] endpoints?

WebForms actively made it difficult to modify headers, e.g. as soon as something is sent to user, you can't change headers. Here is one hack that I've use before: http://stackoverflow.com/questions/4091157/httpmodule-to-add-headers-to-request — MatthewMartin, Mar 03 '16 at 16:31
And another way to do it with webconfig http://stackoverflow.com/questions/2922178/is-it-possible-to-add-response-http-headers-in-web-config — MatthewMartin, Mar 03 '16 at 16:32
And a more modern way to manipulate headers using owin middleware: http://www.mikesdotnetting.com/article/269/asp-net-5-middleware-or-where-has-my-httpmodule-gone — MatthewMartin, Mar 03 '16 at 16:36

score 22 · Accepted Answer · edited Apr 21 '18 at 14:55

22

I recommend double-checking you have performed all steps on this page: CORS on ASP.NET

In addition to:

Response.AppendHeader("Access-Control-Allow-Origin", "*");

Also try:

Response.AppendHeader("Access-Control-Allow-Methods","*");

Try adding directly in web config:

<system.webServer>
   <httpProtocol>
     <customHeaders>
       <add name="Access-Control-Allow-Methods" value="*" />
       <add name="Access-Control-Allow-Headers" value="Content-Type" />
     </customHeaders>
   </httpProtocol>
</system.webServer>

Failing that, you need to ensure you have control over both domains.

edited Apr 21 '18 at 14:55

AhHatem

1,415
3
14
23

answered Mar 07 '16 at 22:56

MikeDub

5,143
3
27
44

2

You are the greatest programmer of the known world! Poems will be written,statuses will be built in your holy name! – Sotiris Zegiannis Sep 14 '18 at 11:08
this is not the correct answer, the user asked a way to enable CORS on webmethods not webapi – Paolo Jun 07 '19 at 08:07

score 2 · Answer 2 · answered Dec 05 '21 at 15:14

FYI, enable CORS in classic webform. In Global.asax

void Application_Start(object sender, EventArgs e)
    {        
        GlobalConfiguration.Configuration.EnableCors();        
        RouteTable.Routes.MapHttpRoute(
     name: "DefaultApi",
     routeTemplate: "api/{controller}/{action}/{id}",
     defaults: new { id = System.Web.Http.RouteParameter.Optional }
 );

score 1 · Answer 3 · answered Mar 10 '16 at 00:23

If you need the preflight request, e.g. so you can send authenticated requests, you are not able to set Access-Control-Allow-Origin: *. It must be a specific Origin domain.
Also you must set the Access-Control-Allow-Methods and Access-Control-Allow-Headers response headers, if you are using anything besides the defaults.
(Note these constraints are just how CORS itself works - this is how it is defined.)

So, it's not enough to just throw on the [EnableCors] attribute, you have to set values to the parameters:

[EnableCors(origins: "https://www.olliejones.com", headers: "X-Custom-Header", methods: "PUT", SupportsCredentials = true)]

Or if you want to do things manually and explicitly:

HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Origin", "https://www.olliejones.com");
HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Headers", "X-Custom-Header");
HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Methods", "PUT");
HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Credentials", "true");

One last thing - you do have to call .EnableCors() on initiation. In e.g. MVC or WebAPI, you would call this on HttpConfiguration, when registering the config and such - however I have no idea how it works with WebForms.

score 0 · Answer 4 · answered Mar 10 '16 at 11:54

If you use the AppendHeader method to send cache-specific headers and at the same time use the cache object model (Cache) to set cache policy, HTTP response headers that pertain to caching might be deleted when the cache object model is used. This behavior enables ASP.NET to maintain the most restrictive settings. For example, consider a page that includes user controls. If those controls have conflicting cache policies, the most restrictive cache policy will be used. If one user control sets the header "Cache-Control: Public" and another user control sets the more restrictive header "Cache-Control: Private" via calls to SetCacheability, then the "Cache-Control: Private" header will be sent with the response.

You can create a httpProtocol in web config for customHeaders.

<httpProtocol>
     <customHeaders>
       <add name="Access-Control-Allow-Methods" values="*" />        
     </customHeaders>
   <httpProtocol>

Joe Park · Answer 5 · 2017-08-22T10:46:06.880

0

For the web form, you can use

Response.AddHeader("Access-Control-Allow-Origin", "*");

instead of

Response.AppendHeader("Access-Control-Allow-Origin", "*");

The first one works for old version of ASP.Net Web Form.

edited Aug 22 '17 at 10:46

answered May 23 '17 at 00:28

Joe Park

77
1
6

score -1 · Answer 6 · edited Mar 09 '16 at 15:59

-1

I think your code looks good, but IIS does not send the header entity alone with response expectedly. Please check whether IIS is configured properly.

Configuring IIS6
Configuring IIS7

If CORS doesn't work for your particularity problem, maybe jsonp is another possible way.

edited Mar 09 '16 at 15:59

marr75

5,666
1
27
41

answered Mar 04 '16 at 06:53

stanleyxu2005

8,081
14
59
94

Maybe json is another possible way. how? – Mar 09 '16 at 15:21
1

I guess you mis-read `JSONP` as `JSON`. A JSONP response is a standard JSON string wrapped in a function call. Every modern browser is able to evaluate JSONP response without origin domain policy restriction. You can find some solution for c# like this http://stackoverflow.com/questions/14221429/how-can-i-produce-jsonp-from-an-asp-net-web-service-for-cross-domain-calls – stanleyxu2005 Mar 10 '16 at 02:36

score -2 · Answer 7 · answered Mar 10 '16 at 12:57

-2

You can do like this in MVC

[EnableCors(origins: "*", headers: "*", methods: "*")]
public ActionResult test()
{
     Response.AppendHeader("Access-Control-Allow-Origin", "*");
     return View();
}

answered Mar 10 '16 at 12:57

Ankur Shah

412
6
16

3

OP is not doing this in MVC as he specified in his post title. – AaA Oct 22 '19 at 03:12

How to allow CORS for ASP.NET WebForms endpoint?

7 Answers7

Linked