发表新帖
发表新帖

IIS hijacks CORS Preflight OPTIONS request

后端 未结
关注
12 1062
说谎
说谎 2020-11-27 03:57

I am making a CORS POST request and setting the Content-Type header to json. This triggers a Preflight OPTIONS request to fire (this is good and expected)

This OPTIO

相关标签:
12条回答
  • 青春惊慌失措
    2020-11-27 04:27

    In my case, I missed the Microsoft.WebApi.Cors package. Installed this package and configured it like so in the WebApiConfig class:

     public static void Register(HttpConfiguration config)
        {
            config.MapHttpAttributeRoutes();
            config.EnableCors(new EnableCorsAttribute("*","*","*"));
            config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );
        }

    Please fine-tune this before using in production because you probably don't want to have wild-cards for everything

    0 讨论(0)
  • 悲&欢浪女
    2020-11-27 04:29

    I know this is an old post, but I just went through the exact same problem.

    In my situation, I have CORS installed for both OWIN and WebAPI. The OWIN CORS middleware was intercepting the OPTIONS call long before it ever made it to the WebAPI stuff. Maybe this well help someone else in the future.

    0 讨论(0)
  • 走了就别回头了
    2020-11-27 04:31

    that's what worked for me after 4 hours of searching/experimenting:

        <handlers>
        <remove name="OPTIONSVerbHandler" />
        <add name="OPTIONSVerbHandler" path="*" verb="OPTIONS" modules="IsapiModule" scriptProcessor="C:\Windows\System32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="None" />
    </handlers>
    0 讨论(0)
  • 遇见更好的自我
    2020-11-27 04:33

    This is what worked for me:

      <system.webServer>
    <handlers>
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <remove name="OPTIONSVerbHandler" />
      <remove name="TRACEVerbHandler" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
  </system.webServer>
    0 讨论(0)
  • 故里飘歌
    2020-11-27 04:35

    In my case I did this:

        <verbs allowUnlisted="true" applyToWebDAV="true">
      <remove verb="OPTIONS"/>
      <add verb="OPTIONS" allowed="true"/>
    </verbs>
  </requestFiltering>
</security>

    When I added <add verb="OPTIONS" allowed="true"/> to the web.config, the application failed to start with this error

    HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.

Cannot add duplicate collection entry of type 'add' with unique key attribute 'verb' set to 'OPTIONS'

    So I had to remove it first.

    0 讨论(0)
  • 耶瑟儿~
    2020-11-27 04:38

    A couple of things you can try here, all web.config related, firstly modify your modules element to include the attribute runAllManagedModulesForAllRequests="true", as below: 

    <modules runAllManagedModulesForAllRequests="true">
    <remove name="WebDavModule" />
</modules>

    Then set your handlers to the below: 

    <handlers>
   <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
   <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
   <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
   <remove name="WebDav" />
   <remove name="OPTIONSVerbHandler" />
   <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
   <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
   <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>

    This should do the trick, but if it doesn't, as a last resort you can force IIS to output the correct headers with the below:

      <system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*" />
        <add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
        <add name="Access-Control-Allow-Headers" value="Content-Type" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>

    Be wary of the wildcard value, you should really set this to the domain name that your site will be hosted on.

    0 讨论(0)
 看不清?
提交回复
热议问题