I have a project using web api and one using asp.net mvc. They are configured using CORS module.
The project using Web Api is configured to allow any origin because it's deployed on Azure and it's an OData endpoint, so we don't know who is going to consume it.
// inside configuration
config.EnableCors();
// controllers
[EnableCors(origins: "*", headers: "*", methods: "*")]
[Authorize]
[HttpPost]
public void ...
From my MVC client, using Angular $http
we issue an authenticated request using Bearer token which looks like this one:
Request URL:http://myodata.com/Products
Request Method:GET
Status Code:200 OK
Remote Address:123.123.123.123
And this is the header sent
Host: myodata.com
Authorization: bearer 123-ABC
Origin: http://myclient.com
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
Referer: http://myclient.com/
The problem lays in the response as you can see here:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Because after we upgraded from 5.2.2 to 5.2.3 the CORS module is sending out Access-Control-Allow-Origin: *
And clearly, from the browser, we get this error:
XMLHttpRequest cannot load http://myodata.com/Products.
The value of the 'Access-Control-Allow-Origin' header
in the response must not be the wildcard '*'
when the request's credentials mode is 'include'.
Origin 'http://myclient.com' is therefore not allowed access.
The credentials mode of requests initiated by the XMLHttpRequest
is controlled by the withCredentials attribute.
But the call succeed actually, it bombs on the Angular side. We didn't have this issue until today, after we upgraded from 5.2.2 to 5.2.3
One thing to try is setting the header using the URL Rewrite Module, by adding the following to your Web.config
or ApplicationHost.config
file in %SystemDrive%\inetpub\wwwroot\
.
<configuration>
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Make Access-Control-Allow-Origin echo Origin">
<match serverVariable="RESPONSE_Access-Control-Allow-Origin"
pattern=".+" negate="true" />
<action type="Rewrite" value="{HTTP_ORIGIN}" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
If the above doesn’t work, then you can try the version in the answer over at CORS in IIS issue with credentials and wildcard in Access-Control-Allow-Origin.
Another approach: in the global.asax
or other code for your service, add something like:
if (ValidateRequest()) {
Response.Headers.Remove("Access-Control-Allow-Origin");
Response.AddHeader("Access-Control-Allow-Origin", Request.Headers["origin"]);
Response.Headers.Remove("Access-Control-Allow-Credentials");
Response.AddHeader("Access-Control-Allow-Credentials", "true");
Response.Headers.Remove("Access-Control-Allow-Methods");
Response.AddHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
}
...the most important part of that being this:
Response.AddHeader("Access-Control-Allow-Origin", Request.Headers["origin"]);
In either case the end effect should be: your backend takes the value of the Origin
request header and echoes it back as the Access-Control-Allow-Origin
response-header value.