40

I am working with the final version of ASP.NET Web API to implement a JavaScript-friendly API. Per various tutorials, I have enabled CORS in my web.config:

<system.webServer>
 <httpProtocol>
  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Headers" value="Content-Type" />
  </customHeaders>
 </httpProtocol>
</system.webServer>

With the above, cross-domain GET and POST requests work fine, but PUT and DELETE requests both fail.

In Chrome:

Method PUT is not allowed by Access-Control-Allow-Methods.

Method DELETE is not allowed by Access-Control-Allow-Methods.

Is there something additional required to get PUT and DELETE verbs working cross-domain?

Improve this question
3
  • 1
    How did you enabled CORS in your webconfig ? Commented Oct 4, 2012 at 12:08
  • Do you have a global CORS handler aswell? Or did you fix the CORS in the web.config only? Commented Apr 26, 2013 at 9:04
  • I implemented this at the web.config level only. Commented Apr 27, 2013 at 2:34

5 Answers 5

Reset to default
55

It looks like adding another custom header sorted it out:

<system.webServer>
 <httpProtocol>
  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Headers" value="Content-Type" />
    <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
  </customHeaders>
 </httpProtocol>
</system.webServer>
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This doesn't work for me. Only works for GET and POST.
34

Also, in addition to Nathan answer, make sure you disabled WebDAV IIS module and set runAllManagedModulesForAllRequests="true" setting in the web.config:

<system.webServer>
  <modules runAllManagedModulesForAllRequests="true">
    <remove name="WebDAVModule"/>
  </modules>
  <handlers>
    <remove name="WebDAV" />
  </handlers>
</system.webServer>

Without this, preflight CORS requests (which are used for PUT, DELETE methods and send additional OPTIONS request) will not work.

Improve this answer

4 Comments

Ah thanks! My CORS handler wasn't working without those lines of code in web.config.
What is the WebDAV handler doing, and why does it need to be removed?
@JimAho: nice explaination is here: asp.net/web-api/overview/testing-and-debugging/…
OMG!!! I have expend almost 7 days for this!! and luckily i got it. Similar problem was for me. problem was for only PUT + DELETE . Finally Solved, thanks.
9

Very simple solution to overcome CORS Issue in WEBAPI2.2.

Add the following in you WebApi Config File.

var cors = new EnableCorsAttribute("*", "*", "*");
Config.EnableCors(cors);

Before adding this make sure you remove the custom header in the Web.config file.

    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Credentials" value="true" />
    <add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept, X-Token" />
    <add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />

If you have both customheader as well the CORS enabled in WebApiconfig, you will face the cors error.

Add the cors enabled in WebApi config will solve the issue.

Improve this answer

2 Comments

This is a good current solution and a good explanation. As you mentioned make sure both configurations don't exist (WebApiConfig.cs and Web.config) or the CORS configuration will have a conflict and result in a The 'Access-Control-Allow-Origin' header contains multiple values 'http://localhost:1234, *', but only one is allowed. error.
In addition, one needs the following NuGet package to use the EnableCorsAttribute class: nuget.org/packages/Microsoft.AspNet.WebApi.Cors
0

Please use this in web.config while you deployed your application,dont use in local web.config

    <system.webServer>
  <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*" />
        <add name="Access-Control-Allow-Headers" value="Content-Type" />
        <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
      </customHeaders>
    </httpProtocol>
 <ModSecurity enabled="false" configFile="C:\inetpub\wwwroot\owasp_crs\modsecurity.conf" />
    <validation validateIntegratedModeConfiguration="false" />
    <handlers>
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <remove name="OPTIONSVerbHandler" />
      <remove name="TRACEVerbHandler" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>

  </system.webServer>
Improve this answer

Comments

0

Try to comment the line: <remove name="OPTIONSVerbHandler" /> in <handlers> tag

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.