So I have found a solution that works. For each request, I check whether it’s a CORS request & whether the request is coming in with the OPTIONS verb, indicating that it’s the preflight request. If it is, I just send an empty response back (which only contains the headers configured in IIS of course), thus negating the controller action execution.
Then if the client confirms it’s allowed to perform the request based on the returned headers from preflight, the actual POST is performed & the controller action is executed. And example of my code:
protected void Application_BeginRequest()
{
if (Request.Headers.AllKeys.Contains("Origin", StringComparer.OrdinalIgnoreCase) &&
Request.HttpMethod == "OPTIONS") {
Response.Flush();
}
}
As mentioned, this worked for me, but if anyone knows of a better way, or of any flaws in my current implementation, I would appreciate to hear about them.