I am trying to implement CORS support for my WebApi controllers and I am following an example here .
My handler looks like this:
/// <summary> /// Taken from http://blogs.msdn.com/b/carlosfigueira/archive/2012/02/20/implementing-cors-support-in-asp-net-web-apis.aspx /// </summary> public class CorsHandler : DelegatingHandler { private const string Origin = "Origin"; private const string AccessControlRequestMethod = "Access-Control-Request-Method"; private const string AccessControlRequestHeaders = "Access-Control-Request-Headers"; private const string AccessControlAllowOrigin = "Access-Control-Allow-Origin"; private const string AccessControlAllowMethods = "Access-Control-Allow-Methods"; private const string AccessControlAllowHeaders = "Access-Control-Allow-Headers"; private const string AccessControlAllowCredentials = "Access-Control-Allow-Credentials"; protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { var isCorsRequest = request.Headers.Contains(Origin); var isPreflightRequest = request.Method == HttpMethod.Options; if (isCorsRequest) { if (isPreflightRequest) { var response = new HttpResponseMessage(HttpStatusCode.OK); response.Headers.Add(AccessControlAllowOrigin, request.Headers.GetValues(Origin).First()); var accessControlRequestMethod = request.Headers.GetValues(AccessControlRequestMethod).FirstOrDefault(); if (accessControlRequestMethod != null) { response.Headers.Add(AccessControlAllowMethods, accessControlRequestMethod); } var requestedHeaders = string.Join(", ", request.Headers.GetValues(AccessControlRequestHeaders)); if (!string.IsNullOrEmpty(requestedHeaders)) { response.Headers.Add(AccessControlAllowHeaders, requestedHeaders); } response.Headers.Add(AccessControlAllowCredentials, "true"); var tcs = new TaskCompletionSource<HttpResponseMessage>(); tcs.SetResult(response); return response; } var resp = await base.SendAsync(request, cancellationToken); resp.Headers.Add(AccessControlAllowOrigin, request.Headers.GetValues(Origin).First()); resp.Headers.Add(AccessControlAllowHeaders, "*"); resp.Headers.Add(AccessControlAllowCredentials, "true"); return resp; } return await base.SendAsync(request, cancellationToken); } }
In my WebApiConfig class, I register this handler as follows:
config.MessageHandlers.Add(new CorsHandler());
And he receives an invitation for GET requests. But he does not receive invitations for any requests requiring a preliminary preview. The request is as follows:
Request OPTIONS /api/campaigns/1002/customerusers/1008 HTTP/1.1 Accept */* Origin http://app.dev.alanta.com Access-Control-Request-Method DELETE Access-Control-Request-Headers accept Accept-Encoding gzip, deflate User-Agent Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) Host dev.payboard.com Content-Length 0 DNT 1 Connection Keep-Alive Cache-Control no-cache
But, as I said, the handler is never called for the OPTIONS verb.
I thought there might be some other handler stopping this, but I deleted all the likely candidates and so far no luck.
My other theory is that it does not recognize a specific route for the OPTIONS verb and therefore never passes a request to the WebApi subsystem and is processed elsewhere. But I do not quite understand how to fix this.
Suggestions?