CORS Options response working in IISExpress but not IIS7.5

Question

I'm trying to get a CORS request to work however I've been running into problems when running it on a deployed server

I'm using thinktecture identity model to set up my CORS which works beautifully when running on a local instance of IIS-express but fails on a proper IIS 7.5 version of the site.

This is the local version and works perfectly

OPTIONS http://local.api.mysite.org:57339/api/search HTTP/1.1
Host: local.api.mysite.org:57339
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://local.mysite.org:62747
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36
Access-Control-Request-Headers: accept, origin, content-type
Accept: */*
Referer: http://local.mysite.org:62747/search
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8

=======

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Server: Microsoft-IIS/8.0
Access-Control-Allow-Origin: http://local.mysite.org:62747
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept,origin,content-type
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?QzpcR2l0XGxpdmVzLWRldmVsb3BcQnJpZ2h0U29saWQuTGl2ZXMuV2ViQXBpXGFwaVxzZWFyY2g=?=
X-Powered-By: ASP.NET
Date: Tue, 01 Oct 2013 21:28:06 GMT
Content-Length: 0

This is the deployed version and fails

OPTIONS http://betatest.api.mysite.org/api/search HTTP/1.1
Host: betatest.api.mysite.org
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://betatest.mysite.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36
Access-Control-Request-Headers: accept, origin, content-type
Accept: */*
Referer: http://betatest.mysite.org/search
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8

=======

HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/7.5
Public: OPTIONS, TRACE, GET, HEAD, POST
X-Powered-By: ASP.NET
Date: Tue, 01 Oct 2013 21:31:24 GMT
Content-Length: 0

The GETS work fine on the deployed instance but not the POSTS.

It appears like the OPTIONS preflight response is different between IISExpress and IIS7.5

I've tried cleaning the cache but that's not made a difference.

Were you able to resolve this issue? – sham Dec 01 '15 at 01:34 — sham, Dec 01 '15 at 01:34
Yes, this is my issue as well. – Jeremy A. West Sep 22 '16 at 13:11 — Jeremy A. West, Sep 22 '16 at 13:11

score 2 · Answer 1 · answered Oct 01 '13 at 23:10

2

Sounds like maybe WebDAV on the production server is hijacking the OPTIONS request. This blog post shows how to disable WebDAV for the application:

http://brockallen.com/2012/10/18/cors-iis-and-webdav/

answered Oct 01 '13 at 23:10

Brock Allen

7,385
19
24

Thank you so much! I just wish this answer was not buried so deeply. I want my 4 hours back... – Jeremy A. West Sep 22 '16 at 13:29

CORS Options response working in IISExpress but not IIS7.5

1 Answers1