0

Error: Access to XMLHttpRequest at 'http://localhost:7078/websync.ashx?token=1&src=js&AspxAutoDetectCookieSupport=1' from origin 'http://localhost:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values 'http://localhost:4200, *', but only one is allowed.

Goal: Be able to send a variable from SiteA to SiteB.

(SiteB hosts an iframe that appears on SiteA. SiteA hosts the angular and asp.net webapi. SiteB is the chatserver)

These are the current settings. Do I need both the web.config and the global.asax.cs file? What specifically is causing the error above from my setup? It is my understanding that this happens when it's set in more than one place. Is having it in the web.config and the asax.cs causing that?

I've been through a lot of documentation about HttpResponse as well as CORS but feel like i'm missing a few pieces here:

SiteA\Web.config: 

<add name="Access-Control-Allow-Origin" value="*" />

SiteA\Global.asax.cs: 

response.AddHeader("Access-Control-Allow-Headers", "access-control-allow-origin,accept,x-api-applicationid,content-type,authorization");

SiteB\Web.config: 

<add name="Access-Control-Allow-Origin" value="*" />
angleUr
  • 449
  • 1
  • 8
  • 27

1 Answers1

0

I believe you are missing the Access-Control-Allow-Methods in the response from the server. While not required for CORS requests in general, I believe that header is required for preflight-type CORS requests, e.g. https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request

Add this header to your web.config: <add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" /> //limit this to methods you want to allow CORS on

You should see that your preflight requests are sending an Access-Control-Request-Method which should be one of the methods allowed by Access-Control-Allow-Methods for the preflight to work.

p e p
  • 6,593
  • 2
  • 23
  • 32