Hi,

We have a WebAPI 2 project developed in Visual Studio 2013 that we want to allow cross domain calling of the API and it is working locally on the dev machine but not when deployed to the cloud service.

- Hosted in a cloud service

- Running OS : Server 2012 R2

- version: Automatic

- Instance size: extra small

Dev machine

- Windows 8 Pro 64bit

- Azure SDK 2.2

- VS 2013

- IIS 8.5

The project has the nuget package Microsoft.AspNet.WebApi.Cors 5.1.0-rc1 installed (also tested with 5.0.0) to enableCORS

I have followed the guide found at http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api

In the WebApiConfig.Register() cors is enabled using config.EnableCors();

My controller simply has

[EnableCors(origins: "*", headers: "*", methods: "*")]
    [RoutePrefix("api/v1/books")]
    public class BookController : ApiController
    {

[Route("")]
        public string Get()
        {
            return Guid.NewGuid().ToString();
        }

}

When examining the requests and responses using fiddler I can see that when a cross domain request is being made the 'origin' header exists in the request and when I receive a response there is no 'access-control-allow-origin' header present when the solution is running as a cloud service. When testing locally using the azure emulators and also as in ISS as a simple WebAPI project, this works fine.

I've tested using web clients running a website locally as well as from an azure website, all provide a consistent result.

I've tried to add the following settings into the web.config but this did help.

</system.webServer>

<httpProtocol>

<customHeaders>

<add name="Access-Control-Allow-Origin" value="*" />

<add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept,Authorization" />

<add name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE" />

</customHeaders>

</httpProtocol>

</system.webServer>

It seems as though the 'Access-Control-Allow-Origin' header is being stripped away.

I did find another post that was suggesting that the firewall on windows 2012 was removing the header (http://stackoverflow.com/questions/20844278/webapi2-cors-runs-on-iis8-in-windows-server-2012), but not sure where to go from here.

What else can I try? I really need to understand where the header (Access-Control-Allow-Origin) is being removed.

Any help will be much appreciated.

Thanks

Martyn

Hi,

Did you specify the Allowed HTTP Methods? Did you try your project work in un-cross-domain background ? How did your call this method?

Also, You could refer to this post form ( http://encosia.com/using-cors-to-access-asp-net-services-across-domains/).

Regards,

Will

Hi,

I placed the [EnableCors(origins: "*", headers: "*", methods: "*")] on the ApiController class level, which I understand will enable CORS for all API methods.

I am call the Api using the following jquery

 $.ajax({
        type: 'GET',
        url: getURL,
        dataType: 'json'
    })
    .done(
        function (data, textStatus, jqXHR) {
            $("#" + elementId).text(jqXHR.responseText || data);
        }
    )
    .fail(
        function (jqXHR, textStatus, errorThrown) {
            $("#" + elementId).text(textStatus);
        }
    );

I've also tested using the test client found at http://client.cors-api.appspot.com/client and I am seeing the same result.

I've just tested adding the EnableCors attribute explicitly to the api method I want to expose, but still the request still fails.

I have tested the calls to the exposed API in a non cross domain way by including the client code in the same webAPI project, and this works as expected, and as this all works cross domain when running locally.

Regards

Martyn

update...

Just tried the newest nuget cors (5.1.0) package and still no success.