none
How do I tell my service (all calls REST/JSON) to handle OPTIONS requests?

    Question

  • Hi;

    I have written a WCF service to return JSON on REST requests. Works great with a browser hitting it. But when my JavaScript hits it, the first request is an OPTIONS request for the url with "Access-Control-Request-Method: GET".

    What do I need to do so the service will respond appropriately when asked if a GET can be requested on a url?

    thanks - dave


    Who will win The Windward International Collegiate Programming Championships?

    Thursday, June 13, 2013 7:59 PM

Answers

All replies

  • Hi David,

    Your browser is doing a CORS (Cross-Origin Resource Sharing) preflight request, to avoid XSS (Cross-Site Scripting) attacks.

    You can read many documentation on how to handle that special requests, for instance, here.

    If you are not using Authentication through the "Authorization" HTTP header and using the Microsoft implementation of that protocol, handling CORS preflight requests should be straightforward.

    You can check the complete CORS W3C specification here.

    You can check another good implementation here.

    I hope this helps. :)

    Best regards,

    Fernando Rocha




    Friday, June 14, 2013 3:17 PM
  • Hi;

    Thank you for the link. Unfortunately it doesn't work. The code won't compile (Dictionary is a generic collection, not a class) and the web.config settings are illegal.

    Does anyone know of a code sample for this that works?

    thanks - dave


    Who will win The Windward International Collegiate Programming Championships?

    Friday, June 14, 2013 4:21 PM
  • Hi again;

    I have another question. All requests are hitting the same IIS server. Why is that considered cross site?

    thanks - dave


    Who will win The Windward International Collegiate Programming Championships?

    Friday, June 14, 2013 9:30 PM
  • Hi,

    The standard says that it is considered the same origin if, and only if, you request a page within the exact same full domain and the same port. You are only allowed to access different folders within the URL. You can read more about that here, it has a good example table about that.

    I'm preparing a Visual Studio sample for you...

    Best regards,

    Fernando Rocha

    Friday, June 14, 2013 10:25 PM
  • Hi again,

    I've made this Visual Studio sample. It has a WCF Data Service that answers to CORS preflight requests. You can download the source-code here.

    You may modify the source-code to optimize the behaviour, it's not completely optimized.

    Please tell me if this works for you.

    Best regards,

    Fernando Rocha

    • Proposed as answer by FernandoRocha Monday, June 17, 2013 9:45 AM
    • Unproposed as answer by DavidThi808 Monday, June 17, 2013 4:38 PM
    Friday, June 14, 2013 10:55 PM
  • Hi;

    Unfortunately, no. I'm getting the following error:

    Error: Cannot obtain Metadata from http://localhost:2329/WcfDataService1.svc If this is a Windows (R) Communication Foundation service to which you have access, please check that you have enabled metadata publishing at the specified address.  For help enabling metadata publishing, please refer to the MSDN documentation at http://go.microsoft.com/fwlink/?LinkId=65455.WS-Metadata Exchange Error    URI: http://localhost:2329/WcfDataService1.svc    Metadata contains a reference that cannot be resolved: 'http://localhost:2329/WcfDataService1.svc'.    The remote server returned an unexpected response: (405) Method Not Allowed.    The remote server returned an error: (405) Method Not Allowed.HTTP GET Error    URI: http://localhost:2329/WcfDataService1.svc    The document at the url http://localhost:2329/WcfDataService1.svc/ was not recognized as a known document type.The error message from each known type may help you fix the problem:- Report from 'XML Schema' is 'The root element of a W3C XML Schema should be <schema> and its namespace should be 'http://www.w3.org/2001/XMLSchema'.'.- Report from 'DISCO Document' is 'Discovery document at the URL http://localhost:2329/WcfDataService1.svc/ could not be found.'.  - The document format is not recognized.- Report from 'WSDL Document' is 'There is an error in XML document (1, 40).'.  - <service xmlns='http://www.w3.org/2007/app'> was not expected.

    Any idea why?

    thanks - dave


    Who will win The Windward International Collegiate Programming Championships?

    Monday, June 17, 2013 4:39 PM
  • Hi;

    Is there a way to turn of the check for CORS? When I go to production everything will be on the same server so this won't be an issue. But for development my JavaScript runs under IIS on my box while the REST/JSON server runs under the VisualStudio debug server.

    ??? - thanks - dave


    Who will win The Windward International Collegiate Programming Championships?

    Monday, June 17, 2013 4:41 PM
  • Hi,

    I understand David, but it's not possible to turn off the OPTIONS preflight request, it's designed to be practically impossible to manipulate.

    There are some workarounds that involve making the browser believe that it's not a cross site request. Here is a beautiful document about that: Breaking The Cross Domain Barrier.

    But... be aware that everything else besides CORS are workarounds (or hacks), not something standard and compatible with future browsers.

    Try this solution, doesn't fire that error: Download from SkyDrive

    The error that appeared to you is just a "warning", if you accessed http://localhost:2329/WcfDataService1.svc/Movies it would work even after the error occurs.


    Hope this helps,

    Fernando Rocha


    Monday, June 17, 2013 5:16 PM
  • Using the WebApplication 1v2 you posted earlier, I get a 501 Not Implemented when sending the preflight OPTIONS request from another web application.  How can I prevent the 501 error?
    • Edited by Nathan Rose Wednesday, November 06, 2013 10:05 PM
    Wednesday, November 06, 2013 10:04 PM