I write directly to request headers in ASP.NET MVC through an HttpContext.Current object, and yet these headers are not sent to the browser ... Any idea what might cause this? I ONLY get headers if I add them through web.config. This does not work for me, since I need to allow multiple Access-Control-Allow-Origin domains.
I tried writing the headers directly to HttpContext.Current using this code.
context.Response.AppendHeader("Access-Control-Allow-Origin", origin); context.Response.Cache.SetCacheability(HttpCacheability.NoCache); context.Response.ContentType = "text/plain"; context.Response.Write("Hello World " + DateTime.Now.ToString());
I get the world hello, but not the headers.
I also tried using Thinktecture.IdentityModel.Http.Cors.WebApi , but getting the same results as nothing. I checked my verified code to make sure it matches the tutorial] 1 . I configured the headers in Web.config and tried using Thinktecture, but only get the headers when Access-Control-Allow-Origin is in the web.config file, but I still get the error message in Chrome / FF. It seems like headers are only sent out on OPTIONS request, but I'm not sure.
Accept:*/* Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3 Accept-Encoding:gzip,deflate,sdch Accept-Language:en-US,en;q=0.8,ga;q=0.6,pt-BR;q=0.4,pt;q=0.2 Access-Control-Request-Headers:accept, origin, content-type Access-Control-Request-Method:GET Authorization:Negotiate REDACTED Cache-Control:max-age=0 Connection:keep-alive Host:bpapi.domain.com Origin:http://dev-02 Referer:http://dev-02/_Layouts/PAR/NewParItem.aspx User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31 HTTP/1.1 200 OK Server: Microsoft-IIS/7.5 Persistent-Auth: false X-Powered-By: ASP.NET Access-Control-Allow-Origin: http://dev-02 Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept WWW-Authenticate: Negotiate REDACTED Date: Sat, 06 Apr 2013 00:35:31 GMT Content-Length: 0
Here is web.config as pastebin so as not to clutter up the issue. WebDAV is not installed.
public class CorsConfig { public static void RegisterCors(HttpConfiguration httpConfig) { WebApiCorsConfiguration corsConfig = new WebApiCorsConfiguration(); corsConfig.RegisterGlobal(httpConfig); corsConfig .ForResources(new string[] { "Industries", "Projects" }) .ForOrigins(new string[] { "http://dev-01", "http://dev-02" }) .AllowAll(); } }
Here is the Thinktecture code:
protected void Application_Start() { AreaRegistration.RegisterAllAreas(); WebApiConfig.Register(GlobalConfiguration.Configuration); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); BundleConfig.RegisterBundles(BundleTable.Bundles); //CorsConfig.RegisterCors(GlobalConfiguration.Configuration); RegisterCors(MvcCorsConfiguration.Configuration); } private void RegisterCors(MvcCorsConfiguration corsConfig) { corsConfig .ForResources(new string[] {"Industries", "Projects" }) .ForOrigins(new string[] { "http://dev-01", "http://dev-02" }) .AllowAll(); }
Update 2013/04/09: Not a single context.Response.AppendHeader(...) and context.Response.AddHeader(...) has any effect. Chrome and FF look fine if they get JSONP regardless of the source permission header, so my project at least works. I also tried <remove name="OPTIONSVerbHandler"/> without success. I will be deploying an MVC application on a new server to find out if something is localized to a specific machine.