3

I was try to post some data with fetch to an API server. The server was an ASP.NET Web API, .NET Framework v4.5. Published on IIS and only enable Windows Authentication.

However, the post's preflight's request header was not contain cookie. So I got a '401 Unauthorized' error.

My fetch request code, and request header from chrome.

fetch(url,
{
    method: 'POST',
    mode: 'cors',
    headers: {
        'Accept': 'application/json, text/plain, */*',
        'Content-Type': 'application/json'
    },
    body: JSON.stringify(loaItem),
    credentials: 'include'
})


OPTIONS /api/loasdup HTTP/1.1
Host: localhost:4501
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, 
like Gecko) Chrome/67.0.3396.99 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Referer: http://localhost:8081/loa/copy/LOA201807120000
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7

Any ideas?

Response Headers in IIS: 

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: http://localhost:8081

The request and response details for OPTIONS The request and response details for OPTIONS

The request and response for GET which works properly Tee request and response for GET

Phil
  • 128,310
  • 20
  • 201
  • 202
Super Guo
  • 133
  • 1
  • 1
  • 8
  • I don't think the pre-flight request is meant to go through an authentication mechanism. Are you sure your server-side is configured correctly? – Phil Jul 12 '18 at 03:27
  • @Phil Emmm, I'm not sure about what you mean correctly. I'm a freshman to this HTTP things. Could you be more specified? By now, the GET function was work properly. – Super Guo Jul 12 '18 at 03:35
  • What I mean is the server-side resource that handles the `OPTIONS` request typically doesn't require authentication. It's mean to be a meta-data resource for the `GET` / `POST` resource and should really only specify which properties are allowed to make the cross-origin request via `Access-Control-*` response headers. – Phil Jul 12 '18 at 03:37
  • @phil Oh, emmm, understood. But, might you give some example? I tried some different settings for 'Access-Control-*', but no one worked. By now, Allow-Headers and Allow-Methods are *, and Allow-Credentials is true. but still got the same error. – Super Guo Jul 12 '18 at 03:53
  • You need a specific `Access-Control-Allow-Origin` (**not** `*`) for credentials to work. Which of your requests (`OPTIONS` or `POST`) is receiving the 401 response? It would be great if you could post some more details of the two sets of request and response headers, ie `OPTIONS` and then `POST` (if it happens) – Phil Jul 12 '18 at 03:56
  • @phil the Origin is not *, I set it as the request origin almost at the beginning. And, the OPTIONS receiving the 401, the POST request was not send. – Super Guo Jul 12 '18 at 04:13
  • Great, thanks for the extra info. I think this goes back to my first comment though in that the resource for the `OPTIONS` request should not be behind your authentication layer. – Phil Jul 12 '18 at 04:17
  • You just needed the right search terms ~ _"iis windows authentication disable for OPTIONS cors"_ – Phil Jul 12 '18 at 04:19
  • https://fetch.spec.whatwg.org/#cors-protocol-and-credentials –  Jul 12 '18 at 04:23

0 Answers0