2

So I have a view on a controller ...

[AllowAnonymous]
[Route("MyView")]
public ActionResult MyView()
{
    // first attempt at solving problem
    Response.AddHeader("Access-Control-Allow-Origin", "*");
    Response.AddHeader("Access-Control-Allow-Headers", "*");
    Response.AddHeader("Access-Control-Allow-Methods", "*");

    return PartialView();
}

I tried adding this attribute (2nd attempt) ...

public class AllowCors : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        filterContext.RequestContext.HttpContext.Response.AddHeader("Access-Control-Allow-Origin", "*");
        filterContext.RequestContext.HttpContext.Response.AddHeader("Access-Control-Allow-Headers", "*");
        filterContext.RequestContext.HttpContext.Response.AddHeader("Access-Control-Allow-Methods", "*");
        base.OnActionExecuting(filterContext);
    }
}

As im using owin to initialise my app I figured this might work (3rd attempt) ...

app.Use((context, next) =>
{
    if (context.Request.Method == "OPTIONS")
    {
        context.Response.StatusCode = 200;
        context.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
        context.Response.Headers.Add("Access-Control-Allow-Headers", new[] { "*" });
        context.Response.Headers.Add("Access-Control-Allow-Methods", new[] { "*" });
        return context.Response.WriteAsync("handled");
    }

    return next.Invoke();
}).UseStageMarker(PipelineStage.PreHandlerExecute);

The problem is that if I just straight up ask for it by putting the url in the browser I get the right headers ...

Access-Control-Allow-Headers:*
Access-Control-Allow-Methods:*
Access-Control-Allow-Origin:*

... moving over in to postman to test this, when I issue an OPTIONS call to the same URL I get this in the headers ...

Allow: OPTIONS, TRACE, GET, HEAD, POST

... so how do I get MVC to respond correctly to the OPTIONS http verb so that I can use this view outside the domain of the site?

EDIT

it's worth noting that I have looked around already and found all these and many more ...

The requested resource does not support http method 'OPTIONS'.?

jQuery $.ajax(), $.post sending "OPTIONS" as REQUEST_METHOD in Firefox

AJAX in Chrome sending OPTIONS instead of GET/POST/PUT/DELETE?

Why does this jQuery AJAX PUT work in Chrome but not FF

How to support HTTP OPTIONS verb in ASP.NET MVC/WebAPI application

... i'm also very familiar with using CORS and making CORS requests in to WebAPI, but for some reason I can't seem to make a CORS request in to MVC without getting this seemingly "dummy" response back.

I think what I need is a means to override / replace the MVC default behaviour to this HttpVerb based request to allow me to embed views in a remote site.

Community
  • 1
  • 1
War
  • 8,539
  • 4
  • 46
  • 98

1 Answers1

3

Install these two nuget packages:

Microsoft.AspNet.Cors
Microsoft.Owin.Cors

Then in your Startup.cs add this line inside the Configuration function:

public partial class Startup
{
    public void Configuration(IAppBuilder app)
    {
        ConfigureAuth(app);

        app.UseCors(CorsOptions.AllowAll);
    }
}

In my demo setup I'm sending a post request from the domain http://example.local (Apache) to the domain http://localhost:6569/ (IIS Express).

Without app.UseCors(CorsOptions.AllowAll); (notice the warning in the console and no CORS headers):

before setting up CORS

And after adding the packages and adding the line to the Configuration method:

After setting up CORS

As you can see in the screenshot, the access-control-allow-origin was added in the response headers as expected/

Nasreddine
  • 36,610
  • 17
  • 75
  • 94
  • Dang, I was really hoping it would be that simple but it doesn't work :( – War May 13 '16 at 20:45
  • @Darth_Wardy Just created a new project to test it out and it works as expected. Are you sure there's nothing else messing up with your setup? – Nasreddine May 13 '16 at 21:09
  • Hmmm, odd, this isn't what i'm seeing ... time for some old school comment out style debugging ... the only other stuff I have going on right now is identity framework. – War May 13 '16 at 21:19
  • Here's my startup: https://gist.github.com/TehWardy/b36b2cdf851ddb80c8cdb52c51c6d24f ... any ideas? – War May 13 '16 at 21:24
  • Also my MVC config: https://gist.github.com/TehWardy/639494577863f6e29cac6d9445b6b2bd – War May 13 '16 at 21:26
  • I'm not doing a POST, i'm doing a GET for a html view ... wonder if that makes some sort of difference – War May 13 '16 at 21:53
  • It shouldn't make any difference since I tried both and they worked. I'm thinking that it might be ninject but I don't know enough about it. – Nasreddine May 13 '16 at 21:57
  • Hmmm, I wondered that too, IoC can be a bit of a hell hole if you do complex stuff, so I commented that out and got the same result :( ... maybe its something about my machine / VS / my project file ... in some way ... this is just plain wierd ... i'm gonna +1 your answer because its clearly a good answer. – War May 13 '16 at 22:04
  • Hmm odd, I had to also add the config elements (for some reason) as per this question and its answer ... http://stackoverflow.com/questions/24245831/cors-not-working-in-my-mvc-app-getting-header-error-despite-settings-web-config ... please add this to your answer but i'll give you the tick anyway :) ... thanks for the time on this one @Nasreddine – War May 13 '16 at 22:21
  • 1
    I'm on mobile and I don't want to mess up the formatting of my question but I'll make sure to add them one I'm on my computer again. Glad to see that you finally solved your problem. – Nasreddine May 13 '16 at 22:28