2

I have two servers: App & Web, App is hosting a web api 2 API secured by OWIN, Web is an Angular 1.6 application that calls the api.

My headers look like this:

Request:

Host: app
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Origin: http://mysite
Connection: keep-alive

Response:

Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Allow: GET
Content-Length: 83
Content-Type: text/html; charset=utf-8
Date: Tue, 11 Apr 2017 16:41:04 GMT
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET

I've opened up my web.config to include:

<httpProtocol>
  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Methods" value="*" />
    <add name="Access-Control-Allow-Headers" value="*" />
  </customHeaders>
</httpProtocol>

I also have:

config.EnableCors(new EnableCorsAttribute("*", "*", "*"));

My error is:

Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘(null)'

What am I missing here and how do I make the CORS error go away?

RandomUs1r
  • 4,010
  • 1
  • 24
  • 44
  • On your server try changing the response to this, and see if it works. Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Origin: * . I would think the asterisk would work across the board, but perhaps it's causing an issue. – user2263572 Apr 11 '17 at 17:03
  • You should figure out why the browser has decided the origin is 'null' instead of the `http://mysite` origin you say you see in the request headers. https://stackoverflow.com/questions/42239643/when-does-firefox-set-the-origin-header-to-null-in-post-requests/42242802#42242802 lists some cases where a browser will decide the origin is 'null'. I guess the most likely one that may be happening in this case is that there’s some cross-origin redirect happening in betwee – sideshowbarker Apr 11 '17 at 17:42

1 Answers1

2

Of course shortly after posting the question, I figured it out: my issue was two fold:

I needed to remove 

config.EnableCors(new EnableCorsAttribute("*", "*", "*"));

from WebApiConfig.cs

And then in Startup.cs

I needed to move

app.UseCors(CorsOptions.AllowAll);

To the top.

The web.config section was also safely removed at that point.

Credit to: Dreaded CORS issue with WebAPI and token

Community
  • 1
  • 1
RandomUs1r
  • 4,010
  • 1
  • 24
  • 44