.NET CORS Server

A place to save it all.

• Overview

  To allow a cross domain request we need to configure our server to identify itself as CORS compatible.

  This is done through response headers.
  Before a request is executed by a browser it makes a 'preflight request'. This is a http request performed automatically by the browser using the OPTIONS verb.
  The response to this request needs to include access control headers to allow the browser to execute the request initially submitted by the client.

  Here is a sample of a failed attempt.

  

  Here is what a successfull exchange of headers should look like:

  Request Headers:

  Origin: http://yourdomain.com
  Access-Control-Request-Method: POST
  Access-Control-Request-Headers: X-Custom-Header
                           

  Response Headers:

  Access-Control-Allow-Origin: http://yourdomain.com
  Access-Control-Allow-Methods: GET, POST
  Access-Control-Allow-Headers: X-Custom-Header
                           

• Pre-flight configuration

  To Service the pre-flight request we need to set the handler binding in the web.config file to handle the OPTION verb request.

  Here is very permissive options handler. This configuration allows requests from any site.

  Service Headers

      /// 
  
      /// Options Handler to accept CORS requests
      /// 
      public class OptionsHandler : IHttpHandler
      {
          public void ProcessRequest(HttpContext context)
          {
              Policies.HandleInit(this);
              
              var header_list = context.Response.Headers;
  
              var web_op_context = context.Response;
              web_op_context.StatusDescription = "OK";
              web_op_context.StatusCode = 200;
              web_op_context.Headers.Add("Access-Control-Allow-Methods", "OPTIONS, POST, GET, PUT, DELETE");
  
              string headers = "";
              headers += "Content-Type, ";
              headers += "X-Requested-With, ";
              headers += "Accept";
  
              web_op_context.Headers.Add("Access-Control-Allow-Headers", headers);
              web_op_context.Headers.Add("Access-Control-Expose-Headers", headers);
              web_op_context.Headers.Add("Accept", "*/*");
              web_op_context.Headers.Add("Accept-Language", "en-US, en");
              web_op_context.Headers.Add("Accept-Charset", "ISO-8859-1, utf-8");
              web_op_context.Headers.Add("Connection", "keep-alive");
  
              web_op_context.Headers.Add("Access-Control-Allow-Origin", "*");
              web_op_context.Headers.Remove("Server");
              web_op_context.Headers.Remove("X-Powered-By");
          }
  
          public bool IsReusable
          {
              get
              {
                  return false;
              }
          }
  
      }
               

• Service Set up