Web API CORS requests and browser cache

Topics: ASP.NET Web API
Jun 9, 2014 at 11:14 AM

We're using web api cors requests in our application and many api calls are cacheable by the clients, i.e. browsers.

Chrome and Firefox caches the responses as they are supposed to but Internet Explorer and Safari always performs new requests.

        [EnableCors("*", "*", "*")]
        public HttpResponseMessage Get()
            var response = Request.CreateResponse(HttpStatusCode.OK, 
                new StringContent("GET: Test message"));
            response.Headers.CacheControl = new CacheControlHeaderValue 
                Public = true, 
                MaxAge = DateTime.UtcNow.AddDays(7) - DateTime.UtcNow 

            response.Headers.ETag = new EntityTagHeaderValue("\"" + Guid.NewGuid().ToString() + "\"");

            return response;
JQuery ajax request (issued from another domain):
            type: 'GET',
            url: 'http://next.b.se/api/tests'
        }).done(function (data) {
        }).error(function (jqXHR, textStatus, errorThrown) {
Request (from fiddler):
GET http://next.b.se/api/tests HTTP/1.1
Referer: http://hitta.a.se/local.html
Accept: */*
Accept-Language: en,sv-SE;q=0.5
Origin: http://hitta.a.se
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Host: next.b.se
DNT: 1
Connection: Keep-Alive
Response (from fiddler):
HTTP/1.1 200 OK
Cache-Control: public, max-age=604800
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip
ETag: "4bfa551b-61db-42cb-8877-25f20a0ec94d"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
Access-Control-Allow-Origin: *
Date: Mon, 09 Jun 2014 10:58:12 GMT
Content-Length: 192
When loading the page hitta.a.se/local.html, from which the cross domain request is done, the first time after cleaning the browser cache all browsers (IE, CHrome, FF and Safari) makes a request to the api endpoint as expected.

When loading the page hitta.a.se/local.html the second time in a new tab and hitting return Chrome and FF gets the cached version, i.e. no request is issued to the api (as expected due to the cache-control headers) according to Fiddler and dev tools. The problem is that IE issues a new request, it does not use the cached version and it doesn't issue a conditional get using the etag and if-none-match header.

Which is the appropriate approach if we would like IE and Safari to use the cached version?