NancyFx not returning CORS for OPTIONS requests
At the moment i'm overriding the application startup in the autofac boostrapper to add in the headers below.
protected override void ApplicationStartup(ILifetimeScope container, IPipelines pipelines)
{
pipelines.AfterRequest.AddItemToEndOfPipeline(ctx =>
{
ctx.Response
.WithHeader("Access-Control-Allow-Origin", "*")
.WithHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
.WithHeader("Access-Control-Allow-Headers", "Accept, Origin, Content-Type, Authorization");
});
base.ApplicationStartup(container, pipelines);
}
on all main routes the headers are correctly attached. However when an OPTIONS pre-flight request is sent from chrome, postman or fiddler the headers are not attached.
Here's a typical get call:
Here's the browser request
Now in the browser request i'm getting back the wrong set of Allow.
For context, i'm currently using the clinteastwood release, but had this in the stable version too. I'm leveraging the AutofacBootstrapper, Owin & Owin.StatelessAuth.
I also tried installing Microsoft.Owin.Cors and using app.UseCors(CorsOptions.AllowAll); with no success
I'm obviously doing something wrong, I'm just not sure what...
Can anyone explain this behaviour?
For those interested, an obvious answer would be placing the following in the web.config.
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
<add name="Access-Control-Allow-Headers" value="Accept, Origin, Content-Type, Authorization" />
</customHeaders>
</httpProtocol>
</system.webServer>
But i'm more curious about the behaviour or my implementation as to where i've gone wrong
- Angular 18 CORS issue with Springboot as backend
- CORS (cross origin resource sharing) using PHP
- How to Solve CORS error in accessing laravel routes
- How do I fix CORS issue in Fetch API
- How to stop CORS from blocking connections to my node netlify server?
- Enable access control on simple HTTP server
- Security implications of adding all domains to CORS (Access-Control-Allow-Origin: *)
- CORS error while consuming calling REST API with React
- CORS issue with express.js
- Adding headers to iis static files not working in asp.net CORE
- Google Maps API: No 'Access-Control-Allow-Origin' header is present on the requested resource
- Issue with CORS origin linked to API key
- How does the 'Access-Control-Allow-Origin' header work?
- Google Cloud Storage request blocked by CORS: not allowed by Access-Control-Allow-Origin
- canvas.toDataURL() SecurityError
- How to fetch a resource from a github release?
- Blazor WASM Local dev CORS errors fetching API endpoints
- how to set up cors() in typescript express
- R2: Setting CORS policy with different methods per allowed-origins
- How to bypass CORS policy when sending get/post request from React JS?
- Firebase-Storage Access to fetch at '..' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource
- The 'Access-Control-Allow-Origin' header contains multiple values
- CORS Issue - Between Dev and Prod
- Does a proper CORS setup prevent CSRF attack?
- Cors isn't working on express , even after setting it
- When do browsers send the Origin header? When do browsers set the origin to null?
- XMLHttpRequest error in flutter web [Enabling CORS AWS API gateway]
- how does an OPTIONS request get handled if `preFlightContinue` is used
- Why doesn't adding CORS headers to an OPTIONS route allow browsers to access my API?
- How do I fix this cors error when attempting to host on vercel