3

I'm building an Angular app which use ng-resource. The service API is built in Asp.Net Core web api and the CORS is already enabled.

The service.js code

.factory('D2Service', ['$resource', function ($resource) {
    return $resource('http://localHost:5001/api/D2/:id',
        { id: '@id' },
        {
            update: { method: 'PUT' }
        });
}])

However, the call D2Service.update(model.d); in controller got the following error.

XMLHttpRequest cannot load http://localhost:5001/api/D2. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8082' is therefore not allowed access.

But D2Service.get({ id: model.id }).... runs without any error. Why the 'PUT' has the CORS issue while the 'GET' is fine?

The following are the request/response when monitoring using fiddler.

Request:

OPTIONS http://localhost:5001/api/D2 HTTP/1.1
Host: localhost:5001
Connection: keep-alive
Access-Control-Request-Method: PUT
Origin: http://localhost:8082
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Referer: http://localhost:8082/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8

Response:

HTTP/1.1 204 No Content
Date: Sun, 27 Nov 2016 23:32:31 GMT
Server: Kestrel
ca9163d9
  • 27,283
  • 64
  • 210
  • 413
  • to properly support CORS, your server needs to respond to preflight requests (OPTIONS) - that is how CORS works – Jaromanda X Nov 28 '16 at 00:28
  • How to make the server respond to preflight requests? I'm using Asp.net core on dotnet core. – ca9163d9 Nov 28 '16 at 00:31
  • that's what google is for - to search how to do these things - https://learn.microsoft.com/en-us/aspnet/core/security/cors – Jaromanda X Nov 28 '16 at 00:33
  • I've added `services.AddCors();` and app.UseCors(builder => builder.AllowAnyOrigin().AllowAnyHeader())` but it still not working. – ca9163d9 Nov 28 '16 at 00:59
  • I see no "options.addPolicy" as per the documentation section about preflight – Jaromanda X Nov 28 '16 at 01:21
  • I changed `services.AddCors();` to `services.AddCors(o=> { o.AddPolicy("AllowSpecificOrigin", b => b.WithOrigins("http://localhost:5001")); });` but still got the error. – ca9163d9 Nov 28 '16 at 01:31
  • I posted another question http://stackoverflow.com/questions/40837153/asp-net-core-doesnt-respond-to-preflight-request-option. Someone said in comments that the options suppose to return no content? – ca9163d9 Nov 28 '16 at 05:38
  • correct, they should return appropriate `Access-Control-*` *response headers* – Jaromanda X Nov 28 '16 at 05:40

1 Answers1

0

For preflight request to work you should have following header in your response:

Access-Control-Allow-Origin: YOUR_DOMAIN
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: YOUR_CUSTOM_HEADERS
Nishanth Matha
  • 5,993
  • 2
  • 19
  • 28
  • How to make ngResource call has the header of `Access-Control-Allow-Origin`? It's missing in the request headers. – ca9163d9 Nov 28 '16 at 01:00
  • that should be a response header and should be set in your server – Nishanth Matha Nov 28 '16 at 01:02
  • Right now I'm using nodejs to host the angular app. I just enter the folder and `npm start`. I searched `Access-Control-Allow-Origin` in the project and the only file found is `.htaccess` under folder `bower_components\html5-boilerplate\dist` – ca9163d9 Nov 28 '16 at 01:07
  • refer to this post on how to add response header in node.js `http://stackoverflow.com/questions/18310394/no-access-control-allow-origin-node-apache-port-issue` – Nishanth Matha Nov 28 '16 at 01:09
  • You said "response" in the answer. Do you mean request? – ca9163d9 Nov 28 '16 at 05:39
  • nope I meant response only... the response from your server (as per your OP .asp or nodejs ) should contain the three headers mentioned for preflight to work – Nishanth Matha Nov 28 '16 at 05:41
  • Got it. So it's the server side issue. Thanks – ca9163d9 Nov 28 '16 at 05:42