11

I'm trying to make cross-domain request and my server is configured to send the following headers:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:x-requested-with, Authorization
Access-Control-Allow-Methods:OPTIONS, GET, HEAD, POST
Access-Control-Allow-Origin:*

But when an OPTION request is made, I get OPTIONS 405 (Method Not Allowed) error.

Any Ideas what is the problem and how to fix it?

Spadar Shut
  • 13,513
  • 5
  • 39
  • 51
  • Possible duplicate of [Access-Control-Allow-Origin Multiple Origin Domains?](http://stackoverflow.com/questions/1653308/access-control-allow-origin-multiple-origin-domains) – kenorb Nov 14 '16 at 11:44

3 Answers3

10

I would suggest 2 solutions:

1) If you are using WebAPI you need to implement the option method that by convention should look like:

public class XXXController : ApiController
{
    // OPTION http-verb handler
    public string OptionsXXX()
    {
        return null; // HTTP 200 response with empty body
    }

    ...
}

2) If you are not using WebAPI try to understand which part of your code triggers the OPTIONS 405 (Method Not Allowed) error for the OPTION call. In that case I would check if trying to add to the Web.config file these <customHeaders/> that works:

<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <!-- CORS temporary solution -->
        <add name="Access-Control-Allow-Origin" value="*" />
        <add name="Access-Control-Allow-Headers" value="Content-Type, Authorization, Accept, X-Requested-With" />
        <add name="Access-Control-Allow-Methods" value="OPTIONS, TRACE, GET, HEAD, POST, PUT" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>
Filippo Vitale
  • 6,895
  • 2
  • 52
  • 58
7

Your web server / application may been configured to send the mentioned response header for every HTTP GET verb and POST verb requests. But is your web server configured to handle HTTP OPTIONS Verb?

If you need more details, please provide the webserver and application programming technology you are using.

A little background, Browsers send an OPTIONS Request when you have a cross domain request with some custom request headers. This request is made before the actual request. The browser will make the actual request only if this request comes back with the response header you have mentioned.

// These OPTIONS request are called preflight requests -- generally browsers dev tools dont track them in their network tab.f

humblelistener
  • 1,396
  • 11
  • 22
  • 1
    Thanks for your comment. The server is IIS 7. How do I configure it to handle OPTIONS? – Spadar Shut Nov 09 '12 at 00:00
  • Sounds like a good direction. Can you please provide some recommended link about how to handle `HTTP Options` verb? – Blaise Aug 27 '14 at 13:55
  • 1
    @Blaise shortest explanation to handle options verb is explained in http://stackoverflow.com/a/13646169/570239 - for more details on how to web api < 2 and asp.net mvc in generat check this http://www.codeguru.com/csharp/.net/net_asp/using-cross-origin-resource-sharing-cors-in-asp.net-web-api.html . For web api 2 check http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api – humblelistener Aug 27 '14 at 14:12
  • 1
    This last comment finally solved my problem for webapi 2: Install-Package Microsoft.AspNet.WebApi.Cors and httpEnableConfig.EnableCors() – pauldendulk Apr 13 '15 at 19:05
1

You would need to modify default OPTIONSVerbHandler. If using asp classic, that would mean adding following lines to your Web.config file:

    <handlers>
        <remove name="OPTIONSVerbHandler" />
        <add name="OPTIONSVerbHandler" path="*" verb="OPTIONS" modules="IsapiModule" scriptProcessor="C:\Windows\System32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="None" />
    </handlers>
Anatoly Alekseev
  • 1,138
  • 16
  • 15