CORS POST Requests not working - OPTIONS (Bad Request)

Topics: ASP.NET MVC, ASP.NET Web API
Jul 18, 2013 at 2:54 AM
Edited Jul 22, 2013 at 1:39 AM
I'm having a lot of trouble getting a cross domain POST request to hit an Api controller in the latest beta 2 release.

Chrome (and other browsers) spit out:

OPTIONS http://api.hybridwebapp.com/api/values 400 (Bad Request)
POST http://api.hybridwebapp.com/api/values 404 (Not Found)

It may be related to this issue but I have applied that workaround and several other fixes such as web.config additions here

I've been banging my head with this for a while so I created a solution to reproduce the problem exactly.

Load the web app there will be 2 buttons one for GET one for POST and the response will appear next to the button. GET works. Cannot get POST to return successfully.

Image

I'm able to get a hint at the cause from Fiddler but it makes no sense because if you look at the response it DOES include the domain in the Access-Controll-Allow-Origin header:

Image


There is a folder in the solution called "ConfigurationScreenshots" with a few screenshots of the IIS configuration (website bindings) and Project properties configurations to make it as easy as possible to help me :)


https://dl.dropboxusercontent.com/u/13814624/HybridWebApp.zip

EDIT: Don't forget to add this entry to host file (%SystemRoot%\system32\drivers\etc):

127.0.0.1 hybridwebapp.com api.hybridwebapp.com


Thanks in advance
Jul 21, 2013 at 4:31 AM
Edited Jul 22, 2013 at 4:39 AM
It seems that Chrome and Safari allow me to proceed with the POST regardless of the error message in the OPTIONS response but Firefox and IE do not.

Look at the Fidler screenshots of the OPTIONS request it has

Access-Control-Allow-Origin: http://hybridwebapp.com


And yet the error:

The origin http://hybridwebapp.com is not allowed


That is completely contradictory it's as if it's ignoring the header.
Coordinator
Jul 24, 2013 at 9:14 PM
Most likely you are hitting https://aspnetwebstack.codeplex.com/workitem/954. We should have a fix checked in shortly.

Daniel Roth
Microsoft
Developer
Jul 24, 2013 at 9:22 PM
Hi Parliament718,


Issue 954 likely causes the 400 Option and the response body. However the root cause of the confusing response is because you're mixing two difference CORS solutions while they're not compatible.

Solution 1) WebAPI CORS. It will manage the headers so you shouldn't add default custom header in web.config.
Solution 2) Update web.config to add default CORS header in every response. It is a solution before you have WebAPI CORS feature. It is a compromise because not only it lacks flexibility in configuration but also dangerous because you litter expose every response to CORS.

Mix them together will cause solution 2 overwrite solution 1's output.

So, please don't.

Regards,
Troy
Sep 4, 2013 at 8:30 PM
Edited Sep 4, 2013 at 8:36 PM
.