I am trying to add some [WebMethod] annotated endpoint functions to a Webforms style web app (.aspx and .asmx).
I'd like to annotate those endpoints with [EnableCors] and thereby get all the good ajax-preflight functionality.
VS2013 accepts the annotation, but still the endpoints don't play nice with CORS. (They work fine when used same-origin but not cross-origin).
I can't even get them to function cross-origin with the down and dirty
HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Origin", "*"); approach -- my browsers reject the responses, and the cross-origin response headers don't appear.
How can I get CORS functionality in these [WebMethod] endpoints?
6 Answers
Answers 1
I recommend double-checking you have performed all steps on this page: CORS on ASP.NET
In addition to:
Response.AppendHeader("Access-Control-Allow-Origin", "*"); Also try:
Response.AppendHeader("Access-Control-Allow-Methods","*"); / Try adding directly in web config:
<httpProtocol> <customHeaders> <add name="Access-Control-Allow-Methods" values="*" /> <add name="Access-Control-Allow-Headers" values="Content-Type" /> </customHeaders> <httpProtocol> Failing that, you need to ensure you have control over both domains.
Answers 2
If you need the preflight request, e.g. so you can send authenticated requests, you are not able to set Access-Control-Allow-Origin: *. It must be a specific Origin domain.
Also you must set the Access-Control-Allow-Methods and Access-Control-Allow-Headers response headers, if you are using anything besides the defaults.
(Note these constraints are just how CORS itself works - this is how it is defined.)
So, it's not enough to just throw on the [EnableCors] attribute, you have to set values to the parameters:
[EnableCors(origins: "https://www.olliejones.com", headers: "X-Custom-Header", methods: "PUT", SupportsCredentials = true)] Or if you want to do things manually and explicitly:
HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Origin", "https://www.olliejones.com"); HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Headers", "X-Custom-Header"); HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Methods", "PUT"); HttpContext.Current.Response.AppendHeader("Access-Control-Allow-Credentials", "true"); One last thing - you do have to call .EnableCors() on initiation. In e.g. MVC or WebAPI, you would call this on HttpConfiguration, when registering the config and such - however I have no idea how it works with WebForms.
Answers 3
Here is a good read. It sounds like you are trying to use jQuery and json-p. I had a problem with this as well while building an API and trying to access it from a different domain.
JSONP is inherently read-only. You want to use CORS.
Here is the difference. So, JSONP or CORS?
Here is how to implement CORS in jQuery. http://www.eriwen.com/javascript/how-to-cors/
Answers 4
I think your code looks good, but IIS does not send the header entity alone with response expectedly. Please check whether IIS is configured properly.
If CORS doesn't work for your particularity problem, maybe jsonp is another possible way.
Answers 5
If you use the AppendHeader method to send cache-specific headers and at the same time use the cache object model (Cache) to set cache policy, HTTP response headers that pertain to caching might be deleted when the cache object model is used. This behavior enables ASP.NET to maintain the most restrictive settings. For example, consider a page that includes user controls. If those controls have conflicting cache policies, the most restrictive cache policy will be used. If one user control sets the header "Cache-Control: Public" and another user control sets the more restrictive header "Cache-Control: Private" via calls to SetCacheability, then the "Cache-Control: Private" header will be sent with the response.
You can create a httpProtocol in web config for customHeaders.
<httpProtocol> <customHeaders> <add name="Access-Control-Allow-Methods" values="*" /> </customHeaders> <httpProtocol> Answers 6
You can do like this in MVC
[EnableCors(origins: "*", headers: "*", methods: "*")] public ActionResult test() { Response.AppendHeader("Access-Control-Allow-Origin", "*"); return View(); } 
0 comments:
Post a Comment