1

I have a ASP.Net WebAPI application using:

Microsoft.AspNet.Cors - 5.2.2
Microsoft.AspNet.WebApi.Cors - 5.2.2
Microsoft.AspNet.WebApi - 5.2.0

Please note I had some problems displaying the http address with stackoverflow so it might look a bit strange on this question:

I have set the following:

var cors = new EnableCorsAttribute("`http://localhost:4181`", "*", "*", "X-Custom-Header"); 
config.EnableCors(cors);

and in my controller:

   [EnableCors(origins: "`http://localhost:4181`", headers: "*", methods: "*", exposedHeaders: "X-Custom-Header", SupportsCredentials = true)]
   [OverrideAuthentication]
   [HostAuthentication(DefaultAuthenticationTypes.ExternalCookie)]
   [AllowAnonymous]
   [Route("ExternalLogin", Name = "ExternalLogin")]
   public async Task<IHttpActionResult> GetExternalLogin(string provider, string error = null)
  • When I access the site with IE11 I can login to the site (Ajax login) the correct response is sent back but I don't see any customer headers saying Access-Control-Allow-Origin. IE accepts what came back and takes me to the next page.

  • When I access the site with Chrome I can login to the site (Ajax login) the correct response is sent back but I don't see any customer headers saying Access-Control-Allow-Origin. Crome does not accept the resonse and even though there's a 200 code returned it does not go to the next page. Instead it gives this message in the console:

    XMLHttpRequest cannot load http://localhost:3048/Token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4181' is therefore not allowed access. The response had HTTP status code 502.

When I check with fiddler both the IE and the Chome calls return the correct access data from the login but Crome goes no further than displaying the console error message.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Samantha J T Star
  • 30,952
  • 84
  • 245
  • 427
  • Why do you have ' surrounding the url in the enablecors attribute "`http://localhost:4181`", remove it. – Omar.Alani Dec 06 '14 at 10:11
  • FYI, it's not necessary to call both EnableCors() _and_ decorate a controller with `[EnableCors]`. The former enables it globally. – Richard Szalay Dec 06 '14 at 10:12
  • Omar - That's just for the SO question. It kept giving me messages saying I could not include localhost link in the question. See my note at the top of the question explaining this. thanks – Samantha J T Star Dec 06 '14 at 10:17
  • Richard - I did the decorate so I could include "SupportsCredentials = true". Is there a way that I can do that globally also? Thanks – Samantha J T Star Dec 06 '14 at 10:18

2 Answers2

1

Add the following line of code to GrantResourceOwnerCredentials, which will add the header to the response.

context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });

Check my answer here ASP.NET WEB API 2 OWIN Authentication unsuported grant_Type

and my article here, where you can find a working project with CORS enabled.

Community
  • 1
  • 1
Omar.Alani
  • 4,050
  • 2
  • 20
  • 31
  • I did this but now I am getting a different message: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. – Samantha J T Star Dec 06 '14 at 10:26
  • check the link that I've added to the answer, it shows how to enable CORS for Web API 2, and call the api from AngularJS client. – Omar.Alani Dec 06 '14 at 10:36
  • Thanks Omar. I will check out your article. I did one thing which was replace the "*" with my origin. But then now I get a message saying Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is ''. It must be 'true' to allow credentials. – Samantha J T Star Dec 06 '14 at 10:36
0

I have had problems setting

Access-Control-Allow-Origin: *

Some browsers do not accept *, but requires the response to contain the domain name of the originating request, like this:

Access-Control-Allow-Origin: stackoverflow.com

Therefore (and for security reasons): On the server, read the domain the request originates from, compare this against a whitelist, set Access-Control-Allow-Origin to the domain the request originates from.

Per Kristian
  • 785
  • 8
  • 10