Practically speaking , i had faced this issue, i have gone one step further to check WebAPI, and same effort was required, when i analysed. So i had to fix this CORS with WCF
. I will try to explain in short. Here we go. When you access WCF request with CrossOrigin, like from JS code existing in different domain, and from JS , you try to do PUT
or POST
request, 1st browser sends an OPTION
request 405 HTTP Status
, to see if this domain is in allowed list, then if your WCF
respond to OPTIONS
request, sends required response with header value, then browser will again do a POST
or PUT
request ( which ever browser issued earlier), and it will work as expected.
NOTE: you can not send ("Access-Control-Allow-Origin", "*")
, because, there is a security feature , that mandates required domain name to be listed in Access-Control-Allow-Origin
instead of *
.
For more info -
http://social.msdn.microsoft.com/Forums/ro-RO/5613de55-2573-49ca-a389-abacb39e4f8c/wcf-rest-service-post-cross-domain-not-working?forum=wcf
https://stackoverflow.com/questions/26163802/wcf-cors-request-from-jquery-not-working
From practical experience, i have tried *
in that header, it was not working. If you don't believe me, go ahead and try .
Finally the code is following. You need to put this in Global.asax
.
protected void Application_BeginRequest(object sender, EventArgs e)
{
String domainname = HttpContext.Current.Request.Headers["Origin"].ToString();
if (IsAllowedDomain(domainname))
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", domainname);
String allowedmethods = "POST, PUT, DELETE, GET";
String headers = HttpContext.Current.Request.Headers["Access-Control-Request-Headers"].ToString();
String accesscontrolmaxage = "1728000";
String contenttypeforoptionsrequest = "application/json";
if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
{
//These headers are handling the "pre-flight" OPTIONS call sent by the browser
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", allowedmethods);
HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", headers);
HttpContext.Current.Response.AddHeader("Access-Control-Max-Age", accesscontrolmaxage);
HttpContext.Current.Response.AddHeader("ContentType", contenttypeforoptionsrequest);
HttpContext.Current.Response.End();
}
}
private bool IsAllowedDomain(String Domain)
{
if (string.IsNullOrEmpty(Domain)) return false;
string[] alloweddomains = "http://192.168.0.70:8001"; // you can place comma separated domains here.
foreach (string alloweddomain in alloweddomains)
{
if (Domain.ToLower() == alloweddomain.ToLower())
return true;
}
return false;
}
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…