1

I have two DotNet MVC sites. One accesses a Web API from the other with an AJAX GET call.

This all worked, but has stopped functioning now. I've hardly made any changes on my side, so I'm wondering if my host might have made changes (in IIS, for example) that would stop this from working?

Here's how I initially got it working...

I installed the Microsoft.Aspnet.Cors and Microsoft.Aspnet.WebApi.Cors packages.

I added the following code...

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        config.EnableCors();

And in the controller for my API I added...

namespace Webscope.Controllers
{
    [EnableCors(origins: "[URL of my other website]", headers: "*", methods: "*")]      
    public class EventAPIController : ApiController

This used to work, but now get the following error in the console:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https:[my website URL]/EventRead/1-1-2015/12-12-2099. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

In response to @FoggyDay's answer below, I've called the API from Fiddler and got the following headers...

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Frame-Options: AllowAll
X-Powered-By: ASP.NET
Date: Fri, 13 Mar 2020 03:56:39 GMT
Content-Length: 198

So it looks as if CORS headers have not been included in the response. Can anyone tell me why this would be?

UPDATE

I found some extraneous code from a previous attempt to get CORS working. Now that I've removed this code, I am seeing the CORS headers in Fiddler.

Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: https://[ calling website's URL ]/

However I'm still getting the following error in my calling site's console...

Access to XMLHttpRequest at 'https://[ destination site URL ]/api/EventRead/1-1-2015/12-12-2099' from origin '[ calling website's URL ]' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

clayRay
  • 683
  • 1
  • 14
  • 32

1 Answers1

2

SUGGESTIONS:

  1. Back out your "new" changes. It sounds like you've inadvertantly introduced a second header.

  2. Read this: Reason: CORS header 'Access-Control-Allow-Origin' missing

  3. Look at your HTTP traffic, for example in Fiddler. Verify that you're sending the header ... and verify that you're allowing the correct combination of host and port.

  4. If you're still having problems, post back with the exact error message and relevant HTTP headers.

FoggyDay
  • 11,962
  • 4
  • 34
  • 48
  • Ok, I've updated my question above. Fiddler returned correct result data, but no CORS headers. – clayRay Mar 13 '20 at 04:51
  • 1
    Q: The HTTP response you updated was from the IIS server that's responding to your Ajax calls, right? It's running ASP.Net, correct? It's your "Web API" server, correct? I would *expect* to see `Access-Control-Allow-Origin: http://xyz:1234` (hostname/port#) as one of the response headers, The `[EnableCors(origins:...)]` attribute *should* do that for you. – FoggyDay Mar 13 '20 at 05:31
  • thanks for your help with this. That's a YES answer to all your questions. I've contacted the host, and they say they haven't changed anything that might affect it. I might try enabling CORS in web.config instead. – clayRay Mar 19 '20 at 00:45
  • Sorry to hear that :( Please check out this link: https://stackoverflow.com/a/38945791/3135317. And please let us know how you resolve it! – FoggyDay Mar 19 '20 at 01:58
  • @FoddyDay sorry about the big time delay, I had to urgently work on another project, but I'm back again and I've got one step further. See new info above. Thanks. – clayRay Apr 01 '20 at 07:15