All geek questions in one place

Configure IIS Express 8 to enable CORS

I am writing WCF services that will be used by clients in the wild, so they must handle cross-origin requests. I had a problem submitting such development requests to my development server. Here is the scenario:

  • I am running a WCF project on an instance of Visual Studio 2012 using IIS Express 8 as a server on a specific port.
  • I am running a client project on another instance of Visual Studio 2012, also using IIS Express 8 as the server. This project uses AJAX to consume services in another project.

When I run the client project in IE, there is no problem because IE does not send the OPF preflight request. When I run it in Chrome, however, requesting OPTIONS options returns 405 Method Not Allowed, and Chrome refuses this service. Previous versions of Chrome would simply ignore the error and continue with the actual POST request (or Get, regardless ...), but later versions look pickier.

I also came across this with a deployed WCF project and solved it by moving OPTIONSVerbHandler to the top of the list of handler mappings in IIS.

I must indicate that I am using the most generous web.config settings that I can come up with to try to enable CORS. For example, I have this in the WCF project configuration:

<httpProtocol> <customHeaders> <remove name="X-Powered-By" /> <add name="Access-Control-Allow-Origin" value="*" /> <add name="Access-Control-Allow-Headers" value="*" /> <add name="Access-Control-Allow-Methods" value="*" /> <add name="X-Powered-By" value="*" /> </customHeaders> </httpProtocol>

Regardless of the fact that any client cross-start requests for a WCF project launched from code do not work with error 405.

Any help setting up the WCF or IIS Express 8 project itself to enable CORS?

Thanks!

+6
source share
4 answers

The answer is that the configuration needed to enable WCF to accept CORS presale messages has nothing to do with the IIS server; rather, the WCF project itself needs to be configured to handle the HTTP request using the OPTIONS verb.

In short: do it REALLY Tough. WCF is the jack of all professions when it comes to endpoints, so setting it up to do something very specific with one (HTTP) is not recommended, although it can be done. The real solution is to use the web API, which is an HTTP wizard and can be configured to make CORS very simple.

+1
source

You can enable cors for wcf, and it can be pretty simple once you know how to do it.

Developing DavidG's answer to the more general โ€œcors on IISโ€ question, an answer that is really close to what is required for the basic solution:

  • First configure OPTIONSVerbHandler to execute before handlers. Net.

    • In the IIS console, select Handler Mappings. (Do this either at the server level or at the site level. At the site level, it will override all the handlers on your site and ignore any changes made at the server level after that. And, of course, at the server level this can break other sites if they need their own verb processing options.)
    • In the action bar, select "View Order List ...". Look for OPTIONSVerbHandler and move it (many clicks ...).

    You can also do this in web.config by overriding all handlers in <system.webServer><handlers> . ( <clear> , and then <add ...> them back, this is what the IIS console does for you. By the way, there is no need to request a โ€œreadโ€ of this handler.)

  • Secondly, configure custom HTTP headers for the needs of your cors, for example:

     <system.webServer> <httpProtocol> <customHeaders> <add name="Access-Control-Allow-Origin" value="*"/> <add name="Access-Control-Allow-Headers" value="Content-Type"/> <add name="Access-Control-Allow-Methods" value="POST,GET,OPTIONS"/> </customHeaders> </httpProtocol> </system.webServer>

    In this example, they are set for all responses to all requests in the site / app / directory where web.config is located. If you want to limit them to a certain URL, put it in the <location> .
    You can also add these custom headers to the IIS console.

This is a basic solution, since it sends CORS headers even on request, which does not require it, perhaps opening your application for unexpected purposes. But with WCF, it looks like the easiest.

With MVC or webapi, we could instead handle the headers of the OPTIONS and cors verbs by code (either "manually" or with the built-in support available in the latest version of webapi).

+12
source
  • as the value is valid only for Access-Control-Allow-Origin. For the rest you need to be explicit. For instance:

Access-Control-Allow-Methods: GET, PUT, POST, DELETE

or alternatively:

Access-Control-Allow-Methods: PUT, DELETE

because the spec speaks of GET and POST.

+3
source

I just wanted to mention that at the time of this writing, I do not believe that web browsers support * wildcard values โ€‹โ€‹for Access-Control-Allow-Methods or Access-Control-Allow-Headers , even if it is in the specification.

Spec:

https://www.w3.org/TR/cors/
https://tools.ietf.org/html/rfc2616#section-4.2

See compatibility notes (easier reading):

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers / Access-control-allow-headers

Instead of the above best solutions, this means that you must explicitly provide each header or method that you want to allow.

0
source

Source: https://habr.com/ru/post/955794/

More articles:


All Articles