Hi,
We have a WebAPI 2 project developed in Visual Studio 2013 that we want to allow cross domain calling of the API and it is working locally on the dev machine but not when deployed to the cloud service.
- Hosted in a cloud service
- Running OS : Server 2012 R2
- version: Automatic
- Instance size: extra small
Dev machine
- Windows 8 Pro 64bit
- Azure SDK 2.2
- VS 2013
- IIS 8.5
The project has the nuget package Microsoft.AspNet.WebApi.Cors 5.1.0-rc1 installed (also tested with 5.0.0) to enableCORS
I have followed the guide found at http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api
In the WebApiConfig.Register() cors is enabled using config.EnableCors();
My controller simply has
[EnableCors(origins: "*", headers: "*", methods: "*")][RoutePrefix("api/v1/books")]
public class BookController : ApiController
{
[Route("")]
public string Get()
{
return Guid.NewGuid().ToString();
}
}
When examining the requests and responses using fiddler I can see that when a cross domain request is being made the 'origin' header exists in the request and when I receive a response there is no 'access-control-allow-origin' header present when the solution is running as a cloud service. When testing locally using the azure emulators and also as in ISS as a simple WebAPI project, this works fine.
I've tested using web clients running a website locally as well as from an azure website, all provide a consistent result.
I've tried to add the following settings into the web.config but this did help.
</system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept,Authorization" />
<add name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE" />
</customHeaders>
</httpProtocol>
</system.webServer>
It seems as though the 'Access-Control-Allow-Origin' header is being stripped away.
I did find another post that was suggesting that the firewall on windows 2012 was removing the header (http://stackoverflow.com/questions/20844278/webapi2-cors-runs-on-iis8-in-windows-server-2012), but not sure where to go from here.
What else can I try? I really need to understand where the header (Access-Control-Allow-Origin) is being removed.
Any help will be much appreciated.
Thanks
Martyn