none
Asp.net mvc. The cors issues are between several apps in differnet domain: {"message":"The origin '#ui#' is not allowed."} RRS feed

  • Question

  • Hello everyone,

    I faced with supporting of an old project. The project implementation contains two different projects which deployment needs to be in different domains. The first one is based on Angular and contains ui parts. Also first project is sending requests to the second project which is the asp.net mvc web.api project with business logic.

    I know that the code of project is correct, because of project is working on some platforms.

    But after deployment I catch that error in response from Options request to web.api application in google chrome:

    {"message":"The origin '#ui_url#' is not allowed."}

    The same time, GET and POST request are working.

    Full headers:

    Request headers: 
    Request URL:web_api/api/OptionMethod 
    Request Method:OPTION
    Status Code:400 Bad Request 
    Remote Address:##.##.##.##:## 
    Referrer Policy:no-referrer-when-downgrade 
    Response Headers 
    Access-Control-Allow-Headers:* 
    Access-Control-Allow-Methods:* 
    Access-Control-Allow-Origin:* 
    Cache-Control:no-cache 
    Content-Length:93 
    Content-Type:application/json; charset=utf-8 
    Date:#date 
    Expires:-1 
    Pragma:no-cache 
    Server:Microsoft-IIS/8.5 
    X-AspNet-Version:4.0.30319 
    X-Powered-By:ASP.NET 
    Request Headers 
    Accept:*/* 
    Accept-Encoding:gzip, deflate 
    Accept-Language:en-US,en;q=0.8 
    Access-Control-Request-Method:POST 
    Connection:keep-alive 
    Host:web_api/api/OptionMethod 
    Origin:#ui_url# 
    Referer:#ui_url#/Controller/OptionMethod 
    User-Agent:Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

    I added this headers to response from web.api manually on iis:

    Access-Control-Allow-Headers:*
    Access-Control-Allow-Methods:*
    Access-Control-Allow-Origin:*

    It didn't help.

    Also, I have in code cors settings as attribute class

    config.EnableCors(#cors_attribute#);

    which is appending origins to policy:

    policy = new CorsPolicy()
    {
      AllowAnyMethod = true,
      AllowAnyHeader = true
    };
    
    var origins = #cors_urls#;
    foreach (var origin in origins)
    {
       policy.Origins.Add(origin);
    }

    But all that don't help.

    My web.config on web.api side:

     <system.webServer>
        <security>
          <requestFiltering>
            <requestLimits maxAllowedContentLength="52428800" />
    	    <verbs>
                    <add verb="OPTIONS" allowed="true" />
                </verbs>
          </requestFiltering>
        </security>
        <validation validateIntegratedModeConfiguration="false" />
        <modules runAllManagedModulesForAllRequests="true">
          <remove name="WebDAVModule" />
        </modules>
        <handlers>
          <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
          <remove name="OPTIONSVerbHandler" />
      <!--Trying 1-->
      <!-- <add name="OPTIONSVerbHandler" path="*" verb="OPTIONS" -->
      <!-- modules="IsapiModule" requireAccess="None" -->
      <!-- scriptProcessor="C:\Windows\System32\inetsrv\asp.dll" -->
      <!-- resourceType="Unspecified" /> -->
      <!--Trying 2-->
      <add name="OPTIONSVerbHandler" path="*" verb="OPTIONS"
       modules="ProtocolSupportModule" requireAccess="None" />
          <remove name="TRACEVerbHandler" />
          <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
        </handlers>
            <httpProtocol>
                <customHeaders>
                    <add name="Access-Control-Allow-Origin" value="*" />
                    <add name="Access-Control-Allow-Headers" value="*" />
                    <add name="Access-Control-Allow-Methods" value="*" />
                </customHeaders>
            </httpProtocol>
      </system.webServer>

    Base on that link stackoverflow, I tried to add OPTIONSVerbHandler manually(Trying 1 and 2 from config above), but It didn't give results too.

    Does anybody have ideas?

    Thanks.



    • Edited by Denis99 Monday, July 17, 2017 1:14 PM
    Monday, July 17, 2017 1:11 PM

Answers

  • the solution is the updating CorsPolicy class for Cors Attribute:

    policy = new CorsPolicy()
    {
    AllowAnyMethod = true,
    AllowAnyHeader = true
    AllowAnyOrigin = true //the new one
    };

    Thanks.
    Monday, July 17, 2017 3:20 PM

All replies

  • the solution is the updating CorsPolicy class for Cors Attribute:

    policy = new CorsPolicy()
    {
    AllowAnyMethod = true,
    AllowAnyHeader = true
    AllowAnyOrigin = true //the new one
    };

    Thanks.
    Monday, July 17, 2017 3:20 PM
  • Monday, July 17, 2017 3:31 PM
  • Hi Denis99,

    Thanks for sharing the solution, and I would suggest you mark your reply as answer to close this thread, and then others who run into the same issue would find the solution easily.

    @Da924x,

    Thanks for your effects on WCF Forum. I agree with you this issue is more related with webapi, but, MSDN and asp.net forum are separated forums, we could not move it to asp.net forum. And, this forum discuss and ask questions about general managed code networking topics such as serialization, System.NET, Windows Communication Foundation(WCF), and Web Services.

    We will try our best to provide op any solid suggestion.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, July 18, 2017 2:06 AM