Setting Up CORS

Jason Best edited this page May 8, 2014 · 4 revisions

There are a number of ways to enable a site to support Cross-Origin Resource Sharing (CORS).

With An IHttpModule

A sample IHttpModule to enable CORS can be found here: https://gist.github.com/4113849.

With ISAPI Rewrite

  • Install ISAPI_Rewrite Lite v3.

  • At root of website, create an empty options.txt.

    • If your website uses authentication, placing this file outside of your website is a good idea. That way the OPTIONS request doesn’t need to worry about authentication.
  • Go to the IIS Manager.

  • Select the website where you placed options.txt.

  • Depending on your version of IIS

    • IIS7
      • Click on Content View at the bottom.
      • In the list, right click on options.txt and choose Switch to Features View.
      • Go into HTTP Response Headers.
    • IIS6
      • In the content pane, right click on options.txt and go to Properties.
      • Go into the HTTP Headers tab.
  • Add the appropriate headers:

    • Access-Control-Allow-Origin: *
    • Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS
    • Access-Control-Allow-Headers: X-Requested-With, Authorization, X-Authorization, X-Authorization-Mode, User-Agent, Accept, Content-Type, If-Match, Cookie, X-Applicaton-Name, X-Application-Version
      • Note: You MUST specify headers. A wildcard does not appear to work.
    • Access-Control-Max-Age: 1728000
      • Note: Although this is supposed to tell the browser to cache the preflight response, it does not appear to currently be supported.
    • Access-Control-Allow-Credentials: true
      • Note: If using native XMLHttpRequest credentials, this will require an actual domain to be specified in the Access-Control-Allow-Origin header, and not a wildcard.
  • A couple more header needs to be added, but instead of adding it to a file, we need to add it to the website that is serving the cross domain request. Follow the procedure as before to add the following header to the website.

    • Access-Control-Allow-Origin: *
    • Access-Control-Allow-Credentials: true
      • Note: If using native XMLHttpRequest credentials, this will require an actual domain to be specified in the Access-Control-Allow-Origin header, and not a wildcard.
  • Open up the ISAPI_Rewrite Manager.

  • Choose to Edit the configuration.

  • Add the following rules:

      RewriteCond %{REQUEST_METHOD} OPTIONS
      RewriteCond %{REQUEST_URI} \/sdata\/
      RewriteCond %{HTTP:Origin} .+
      RewriteRule (.*) /options.txt
      
      RewriteCond %{REQUEST_METHOD} OPTIONS
      RewriteCond %{REQUEST_URI} \/sdata\/
      RewriteCond %{HTTP:Origin} .+
      RewriteHeader METHOD OPTIONS GET
    
  • Apply the configuration.

Other Resources

http://enable-cors.org/

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.