4

I am having some trouble allowing CORS OPTIONS requests from a website that I am working on. After doing some research I was under the impression that the following things needed to be in place in order for CORS OPTIONS requests to work:

Under the HTTP Headers Tab have the following:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,DELETE,OPTIONS
Access-Control-Allow-Headers: x-requested-with, cache-control, content-type, origin

Under the Home Directory tab set Execution Permissions to Scripts Only or Scripts and Executables.

I have done all of this, but when I try to submit the following request I get a 403.1 error:

Request URL:https://mystaging.verbalink.com/Secure/File/Handler.ashx?Id=9070c032-cced-4155-af29-6f6df476598d,c606c3c8-d06f-43ce-ab25-0614b0142659
Request Method:OPTIONS
Status Code:403 Forbidden

Request Headers
OPTIONS /Secure/File/Handler.ashx?Id=9070c032-cced-4155-af29-6f6df476598d,c606c3c8-d06f-43ce-ab25-0614b0142659 HTTP/1.1
Host: mystaging.verbalink.com
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://mystaging.verbalink.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31
Access-Control-Request-Headers: cache-control, origin, x-requested-with, content-type
Accept: */*
Referer: http://mystaging.verbalink.com/Secure/File/MultiUpload2.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Query String Parametersview sourceview URL encoded
Id:9070c032-cced-4155-af29-6f6df476598d,c606c3c8-d06f-43ce-ab25-0614b0142659

Response Headers
HTTP/1.1 403 Forbidden
Allow: OPTIONS, TRACE, GET, HEAD, POST
Content-Length: 1758
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Access-Control-Allow-Methods: POST,DELETE,OPTIONS
Access-Control-Allow-Headers: x-requested-with, cache-control, content-type, origin
Access-Control-Allow-Origin: *
Public: OPTIONS, TRACE, GET, HEAD, POST
Date: Mon, 08 Apr 2013 20:19:10 GMT

Does anyone see anything wrong with the way I have IIS configured that could cause this error?

Abe Miessler
  • 925
  • 4
  • 11
  • 20

1 Answers1

4

In IIS Manager, right click on the website and select Properties. Switch to the Home Directory tab, and click the Configuration button. In the list of application extensions, locate the extension that your web service uses (e.g. .svc for WCF, .asmx for ASP.NET web services), select it, and click the Edit button. In the Limit To field, make sure that OPTIONS is included in the comma-separated list.

Screenshot of dialog boxes

Then click OK until the dialog boxes have all closed, and that should be it.

David Keaveny
  • 408
  • 1
  • 6
  • 12