0

We are integrating with a closed source API running on IIS server V10. At first, all of the requests from our frontend(ReactJS) were blocked by cors. We've added the following custom headers in IIS configurations to allow cors:

Access-Control-Allow-Origin: <IP:PORT>
Access-Control-Allow-Methods: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: *

Now all the request works fine except for the preflight requests which gives a 404 response with a message Access to XMLHttpRequest from origin has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.

We've tried to install IIS cors module using this guide but it gives 500 server error

Hossam Mohamed
  • 1
  • 1
  • 1
    Don't set `Access-Control-Allow-Methods` to `*`, set it to the verbs you actually want to allow (and have routes configured for) including `OPTIONS` for preflight checks. Also, if you can _at all_ fix that: don't use the legacy XMLHttpRequest object client-side. Use the Fetch API. – Mike 'Pomax' Kamermans Jul 22 '23 at 19:29
  • And, of course, search for solutoins: [How to authorize CORS preflight request on IIS with Windows Authentication](https://stackoverflow.com/questions/49450854/how-to-authorize-cors-preflight-request-on-iis-with-windows-authentication) would be relevant here. – Mike 'Pomax' Kamermans Jul 22 '23 at 19:31
  • We've tried to set `Access-Control-Allow-Methods` to `OPTIONS, POST and GET` and got the same behavior, also we are obligated to use XMLHttpRequest. – Hossam Mohamed Jul 22 '23 at 19:32
  • The question is following the same guide that we've tried already :) – Hossam Mohamed Jul 22 '23 at 19:33
  • Then actually show your errors. If you've cleared OPTIONS as permitted verb, and you have a route handler for that verb on the IIS side either because you wrote one manually, or you've enabled the CORS module, this should work. So if you get errors with the CORS module, find out why, so you can fix that, so you can use the CORS module instead of having to roll your own solutions. – Mike 'Pomax' Kamermans Jul 22 '23 at 19:34
  • The errors i'm getting are in the question already! – Hossam Mohamed Jul 22 '23 at 19:36
  • "it gives 500 server error" is not the error. That's you describing the error. As per the [posting guidelines](/help/how-to-ask): show the _actual_ error by copy-pasting your error log into your post, and using code formatting so it's presented correctly. (Also, it would be incredible if you're using React but you can't use the universally supported fetch API) – Mike 'Pomax' Kamermans Jul 22 '23 at 19:36
  • Either 404 or 500 requires further analysis via FRT to learn the module and actual cause, https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/health-diagnostic-performance/troubleshoot-php-with-failed-request-tracing – Lex Li Jul 22 '23 at 20:45
  • For this error `Access to XMLHttpRequest from origin has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status" `. Please check this: [Access to XMLHttpRequest from origin has been blocked by CORS policy](https://techcommunity.microsoft.com/t5/iis-support-blog/access-to-xmlhttprequest-from-origin-has-been-blocked-by-cors/ba-p/3800362). – YurongDai Jul 24 '23 at 07:10

0 Answers0