Asp Net WebApi2 Enable CORS not working with AspNet WebApi Cors 5 2 3

Question

I tried to follow the steps at http   enable-cors org server aspnet html to have my RESTful API  implemented with ASP NET WebAPI2  work with cross origin requests  CORS Enabled   It s not working unless I modify the web config   I installed WebApi Cors dependency   install-package Microsoft AspNet WebApi Cors -ProjectName MyProject Web Api   Then in my App Start I ve got the class WebApiConfig as follows   public static class WebApiConfig       public static void Register HttpConfiguration config                var corsAttr   new EnableCorsAttribute                         config EnableCors corsAttr            var constraintsResolver   new DefaultInlineConstraintResolver             constraintsResolver ConstraintMap Add  apiVersionConstraint   typeof ApiVersionConstraint            config MapHttpAttributeRoutes constraintsResolver            config Services Replace typeof IHttpControllerSelector   new NamespaceHttpControllerSelector config              config EnableSystemDiagnosticsTracing             config Services Replace typeof ITraceWriter   new SimpleTraceWriter WebContainerManager Get lt ILogManager gt                config Services Add typeof IExceptionLogger   new SimpleExceptionLogger WebContainerManager Get lt ILogManager gt               config Services Replace typeof IExceptionHandler   new GlobalExceptionHandler                but after that I run the application  I request a resource with Fiddler like  http   localhost 51589 api v1 persons and in the response I cannot see the HTTP headers that I should see such as    Access-Control-Allow-Methods  POST  PUT  DELETE  GET  OPTIONS Access-Control-Allow-Origin      Am I missing some step  I have tried with the following annotation on the controller    EnableCors origins   http   example com   headers       methods         Same result  no CORS enabled   However  if I add the following in my web config  without even installing the AspNet WebApi Cors dependency  it works    lt system webServer gt    lt httpProtocol gt     lt  -- THESE HEADERS ARE IMPORTANT TO WORK WITH CORS -- gt     lt  --    lt customHeaders gt       lt add name  Access-Control-Allow-Origin  value       gt       lt add name  Access-Control-Allow-Methods  value  POST  PUT  DELETE  GET  OPTIONS    gt       lt add name  Access-Control-Allow-Headers  value  content-Type  accept  origin  X-Requested-With  Authorization  name    gt       lt add name  Access-Control-Allow-Credentials  value  true    gt     lt  customHeaders gt    -- gt   lt  httpProtocol gt   lt handlers gt     lt  -- THESE HANDLERS ARE IMPORTANT FOR WEB API TO WORK WITH  GET HEAD POST PUT DELETE and CORS-- gt     lt  --     lt remove name  WebDAV    gt     lt add name  ExtensionlessUrlHandler-Integrated-4 0  path      verb  GET HEAD POST PUT DELETE  type  System Web Handlers TransferRequestHandler  preCondition  integratedMode runtimeVersionv4 0    gt     lt remove name  ExtensionlessUrlHandler-Integrated-4 0    gt     lt remove name  OPTIONSVerbHandler    gt     lt remove name  TRACEVerbHandler    gt     lt add name  ExtensionlessUrlHandler-Integrated-4 0  path      verb     type  System Web Handlers TransferRequestHandler  preCondition  integratedMode runtimeVersionv4 0    gt  -- gt   lt  handlers gt      Any help would be much appreciated   Thank you

User · Answer

In case of CORS request all modern browsers respond with an OPTION verb, and then the actual request follows through. This is supposed to be used to prompt the user for confirmation in case of a CORS request. But in case of an API if you would want to skip this verification process add the following snippet to Global.asax

        protected void Application_BeginRequest(object sender, EventArgs e)
        {
            HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");
            if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
            {
                HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "POST, PUT, DELETE");

                HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept");
                HttpContext.Current.Response.AddHeader("Access-Control-Max-Age", "1728000");
                HttpContext.Current.Response.End();
            }
        }

Here we are just by passing the check by checking for OPTIONS verb.

User · Answer

You just need to change some files  This works for me   Global ascx  public class WebApiApplication   System Web HttpApplication       protected void Application Start                 WebApiConfig Register GlobalConfiguration Configuration             WebApiConfig cs  All the requests has to call this code   public static class WebApiConfig       public static void Register HttpConfiguration config                EnableCrossSiteRequests config           AddRoutes config              private static void AddRoutes HttpConfiguration config                config Routes MapHttpRoute              name   Default               routeTemplate   api  controller                          private static void EnableCrossSiteRequests HttpConfiguration config                var cors   new EnableCorsAttribute              origins                    headers                    methods                config EnableCors cors             Some Controller  Nothing to change   Web config  You need to add handlers in your web config   lt configuration gt      lt system webServer gt       lt handlers gt         lt remove name  ExtensionlessUrlHandler-Integrated-4 0    gt         lt remove name  OPTIONSVerbHandler    gt         lt remove name  TRACEVerbHandler    gt         lt add name  ExtensionlessUrlHandler-Integrated-4 0  path      verb     type  System Web Handlers TransferRequestHandler  preCondition  integratedMode runtimeVersionv4 0    gt       lt  handlers gt        lt  system webServer gt    lt  configuration gt

User · Answer

I found this question because I was having issues with the OPTIONS request most browsers send  My app was routing the OPTIONS requests and using my IoC to construct lots of objects and some were throwing exceptions on this odd request type for various reasons   Basically put in an ignore route for all OPTIONS requests if they are causing you problems   var constraints   new   httpMethod   new HttpMethodConstraint HttpMethod Options     config Routes IgnoreRoute  OPTIONS      pathInfo    constraints     More info  Stop Web API processing OPTIONS requests

User · Answer

Hope this helps someone in the future  My problem was that I was following the same tutorial as the OP to enable global CORS  However  I also set an Action specific CORS rule in my AccountController cs file    EnableCors origins      headers       methods          and was getting errors about the origin cannot be null or empty string  BUT the error was happening in the Global asax cs file of all places  Solution is to change it to    EnableCors origins       headers       methods          notice the   in the origins  Missing that was what was causing the error in the Global asax cs file    Hope this helps someone

User · Answer

I ve created a pared-down demo project for you    Source  https   github com bigfont webapi-cors Api Link  https   cors-webapi azurewebsites net api values   You can try the above API Link from your local Fiddler to see the headers  Here is an explanation   Global ascx  All this does is call the WebApiConfig  It s nothing but code organization   public class WebApiApplication   System Web HttpApplication       protected void Application Start                 WebApiConfig Register GlobalConfiguration Configuration             WebApiConfig cs  The key method for your here is the EnableCrossSiteRequests method  This is all that you need to do  The EnableCorsAttribute is a globally scoped CORS attribute   public static class WebApiConfig       public static void Register HttpConfiguration config                EnableCrossSiteRequests config           AddRoutes config              private static void AddRoutes HttpConfiguration config                config Routes MapHttpRoute              name   Default               routeTemplate   api  controller                          private static void EnableCrossSiteRequests HttpConfiguration config                var cors   new EnableCorsAttribute              origins                    headers                    methods                config EnableCors cors             Values Controller  The Get method receives the EnableCors attribute that we applied globally  The Another method overrides the global EnableCors   public class ValuesController   ApiController          GET api values     public IEnumerable lt string gt  Get                 return new string                   This is a CORS response                  It works from any origin                             GET api values another      HttpGet       EnableCors origins  http   www bigfont ca   headers      methods            public IEnumerable lt string gt  Another                 return new string                   This is a CORS response                   It works only from two origins                  1  www bigfont ca                 2  the same origin                         Web config  You do not need to add anything special into web config  In fact  this is what the demo s web config looks like - it s empty    lt  xml version  1 0  encoding  utf-8   gt   lt configuration gt   lt  configuration gt    Demo   x000D   x000D  var url    https   cors-webapi azurewebsites net api values  x000D   x000D    get url  function data    x000D    console log  We expect this to succeed     x000D    console log data   x000D      x000D   x000D  var url    https   cors-webapi azurewebsites net api values another  x000D   x000D    get url  function data    x000D    console log data   x000D     fail function xhr  status  text    x000D    console log  We expect this to fail     x000D    console log status   x000D      x000D   lt script src  https   ajax googleapis com ajax libs jquery 2 1 1 jquery min js  gt  lt  script gt  x000D   x000D   x000D

User · Answer

No-one of safe solution work for me so to be safer than Neeraj and easier than Matthew just add   System Web HttpContext Current Response AddHeader  Access-Control-Allow-Origin          In your controller s method  That work for me   public IHttpActionResult Get         System Web HttpContext Current Response AddHeader  Access-Control-Allow-Origin             return Ok  value

User · Answer

I just added custom headers to the Web config and it worked like a charm   On configuration - system webServer    lt httpProtocol gt     lt customHeaders gt       lt add name  Access-Control-Allow-Origin  value       gt       lt add name  Access-Control-Allow-Headers  value  Content-Type    gt     lt  customHeaders gt   lt  httpProtocol gt    I have the front end app and the backend on the same solution  For this to work  I need to set the web services project  Backend  as the default for this to work   I was using ReST  haven t tried with anything else

User · Answer

None of these answers really work  As others noted the Cors package will only use the Access-Control-Allow-Origin header if the request had an Origin header  But you can t generally just add an Origin header to the request because browsers may try to regulate that too   If you want a quick and dirty way to allow cross site requests to a web api  it s really a lot easier to just write a custom filter attribute   public class AllowCors   ActionFilterAttribute       public override void OnActionExecuted HttpActionExecutedContext actionExecutedContext                if  actionExecutedContext    null                        throw new ArgumentNullException  actionExecutedContext                      else                       actionExecutedContext Response Headers Remove  Access-Control-Allow-Origin                actionExecutedContext Response Headers Add  Access-Control-Allow-Origin                           base OnActionExecuted actionExecutedContext             Then just use it on your Controller action    AllowCors  public IHttpActionResult Get         return Ok  value        I won t vouch for the security of this in general  but it s probably a lot safer than setting the headers in the web config since this way you can apply them only as specifically as you need them   And of course it is simple to modify the above to allow only certain origins  methods etc

User · Answer

WEBAPI2 SOLUTION  global asax cs   var cors   new EnableCorsAttribute                 config EnableCors cors     IN solution explorer  right-click api-project  In properties window set  Anonymous Authentication  to Enabled      Hope this helps someone in the future

User · Answer

I just experienced this same issue  trying to enable CORS globally  However I found out it does work  however only when the request contains a Origin header value  If you omit the origin header value  the response will not contain a Access-Control-Allow-Origin   I used a chrome plugin called DHC to test my GET request  It allowed me to add the Origin header easily

User · Answer

After some modifications in my Web config CORS suddenly stopped working in my Web API 2 project  at least for OPTIONS request during the preflight   It seems that you need to have the section mentioned below in your Web config or otherwise the  global  EnableCorsAttribute will not work on OPTIONS requests  Note that this is the exact same section Visual Studio will add in a new Web API 2 project    lt system webServer gt     lt handlers gt       lt remove name  ExtensionlessUrlHandler-Integrated-4 0   gt       lt remove name  OPTIONSVerbHandler   gt       lt remove name  TRACEVerbHandler   gt       lt add name  ExtensionlessUrlHandler-Integrated-4 0  path      verb     type  System Web Handlers TransferRequestHandler  preCondition  integratedMode runtimeVersionv4 0   gt     lt  handlers gt   lt  system webServer gt

[c#] Asp.Net WebApi2 Enable CORS not working with AspNet.WebApi.Cors 5.2.3

Examples related to c#

Examples related to rest

Examples related to cors

Examples related to asp.net-web-api2