CORS error - No 'Access-Control-Allow-Origin' header is present on the requested resource

asp.net angularjs asp.net-web-api cors asp.net-web-api2
26,733

Solution 1

When dealing with CORS, we need to keep in mind that there may be two requests sent by the browsers for a non GET request. There is usually the preflight (OPTIONS) request and then the actual request (POST). During the preflight requests, the server needs to add the Access-Control-Allow-Origin header with the value matching the request Origin header. This authorizes the subsequent request to be sent.

For the subsequent/actual request, the server also needs to add the Access-Control-Allow-Origin header. Otherwise, this request fails.

When using the OWIN OAuthAuthorizationServerProvider, we need to customize the MatchEndpoint handler to manage the header logic. This handler is executed before validate client authentication.

For more background information, look at this link: http://www.ozkary.com/2016/04/web-api-owin-cors-handling-no-access.html

Solution 2

It's because of Preflighted requests.

Read these articles for solutions:

Share:
26,733
Greg
Author by

Greg

Updated on April 05, 2020

Comments

  • Greg
    Greg about 4 years

    I am using an Angular front end to connect to a WEB API 2 backend. The failing use case is the following. When a user registers, on successful registration, they must be logged into the system and be redirected to a new page to collect further information. I am using TOKENS for authentication.

    I have enabled CORS in the WebAPI config:

     var cors = new EnableCorsAttribute("http://localhost:7812", "*", "*");
        config.EnableCors(cors);

    The registration request is successful and the response headers have the required CORS headers:

    **Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:http://localhost:7812**
Content-Length:0
Date:Sun, 24 Aug 2014 09:31:55 GMT
Server:Microsoft-IIS/8.0
X-Powered-By:ASP.NET
X-SourceFiles:=?UTF-8?B?QzpcUHJvamVjdHNcVGVzdGluZ1xNYWx0QXBhcnRtZW50c1xNYWx0YXBhcnRtZW50cy5BUElcTWFsdGFwYXJ0bWVudHMuQVBJXGFwaVxhY2NvdW50XHJlZ2lzdGVy?=

    In the next step I attempt to log in the user to the system. As part of the login, the front end requests a TOKEN from the server at Request URL:http://localhost:7802/token. The request header once again sends a Origin header Origin:http://localhost:7812 but this time I get the error : XMLHttpRequest cannot load http://localhost:7802/token. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:7812' is therefore not allowed access.

    Anyone have any ideas?

  • Greg
    Greg over 9 years
    Yes, its a preflight request to get the token. I tried removing all the code enabling CORS in the config code and putting it in the WEB config. The exception then changes to a HTTP 405 - Method not allowed but the config setting EXPLICITLY allows all methods ( <add name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS, PUT, DELETE" />) Makes no sense at all
  • wilver
    wilver over 9 years
    I usually use just OWIN configurations for CORS, but I think you should keep both: the EnableCorsAttribute with httpprotocol. if you want here is my solution: github.com/williamverdolini/discitur-api/blob/master/App_Sta‌​rt/…
  • Greg
    Greg over 9 years
    Thanks - I will look at your solution, however, I want to try and understand what the issue is before I go there. I have enabled CORS in the OWIN config and the WEB config and I get a new error saying there are multiple CORS headers. Understandable. So then I remove the WEB config settings. So at this point I only have the OWIN config active...Back to square one.... same error
  • Greg
    Greg over 9 years
    @William - I have checked your code. My understanding at a basic level is that 2 things must happen. 1. The OAuthAuthorizationServerOptions must be set. 2. The app must call CORS (app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); I can see no special settings that apply to reflight requests. Since these are the only request types that are breaking, there musts be some additional information I am not aware of.
  • wilver
    wilver over 9 years
  • Greg
    Greg over 9 years
    OK - I have enabled CORS in 1. My Startup, My WebAPI config, my Account controller AND in my Angular app. I have replaced the Web Config Handler with the new remove name = "OPTIONS" and tried with "OPTIONSVerbHandler". Nothing works. Anyway, I will leave you in peace now. Thanks for the help

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed
405 Method Not Allowed on WebAPI2 (OWIN)
Can you have 2 GET methods with different parameter types within the same web api controller?
Why CORS error "Response to preflight request doesn't pass access control check"?
POST multiple objects from Angular controller to Web API 2
Passing multiple parameters to client.PostAsJsonAsync function
How to get and set cookies in web api 2
Using WebApi RoutePrefix attribute on a base controller
Use Angular js API with ASP.net webForms
Possible to pass a list of integer through web api or do I have to use a string param