IIS hijacks CORS Preflight OPTIONS request

by

A couple of things you can try here, all web.config related, firstly modify your modules element to include the attribute runAllManagedModulesForAllRequests="true", as below: 

<modules runAllManagedModulesForAllRequests="true">
    <remove name="WebDavModule" />
</modules>

Then set your handlers to the below: 

<handlers>
   <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
   <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
   <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
   <remove name="WebDav" />
   <remove name="OPTIONSVerbHandler" />
   <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
   <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
   <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>

This should do the trick, but if it doesn’t, as a last resort you can force IIS to output the correct headers with the below:

  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*" />
        <add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
        <add name="Access-Control-Allow-Headers" value="Content-Type" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>

Be wary of the wildcard value, you should really set this to the domain name that your site will be hosted on.

More Related Contents:

  1. HTTP Error 500.19 and error code : 0x80070021
  2. Dots in URL causes 404 with ASP.NET mvc and IIS
  3. ASP MVC in IIS 7 results in: HTTP Error 403.14 – Forbidden
  4. Asp.NET Web API – 405 – HTTP verb used to access this page is not allowed – how to set handler mappings
  5. How to add Web API to an existing ASP.NET MVC 4 Web Application project?
  6. Difference between ApiController and Controller in ASP.NET MVC
  7. Handling CORS Preflight requests to ASP.NET MVC actions
  8. ASP.NET MVC, Url Routing: Maximum Path (URL) Length
  9. ASP.NET MVC 4 Web API Authentication with Membership Provider
  10. How to force ASP.NET Web API to always return JSON?
  11. HTTP Error 403.14 – Forbidden The Web server is configured to not list the contents
  12. Web API and ValidateAntiForgeryToken
  13. Redirect from asp.net web api post action
  14. ApiController returns 404 when ID contains period
  15. MVC web api: No ‘Access-Control-Allow-Origin’ header is present on the requested resource
  16. How do I set the request timeout for one controller action in an asp.net mvc application
  17. ASP.NET MVC and IIS 5
  18. IIS Redirect non-www to www AND http to https
  19. Passing asp.net server parameters to Angular 2 app
  20. ASP.NET MVC 4 Application Calling Remote WebAPI
  21. How does a method in MVC WebApi map to an http verb?
  22. Discovering Generic Controllers in ASP.NET Core
  23. CORS in ASP .NET MVC5
  24. ASP.NET Web API, unexpected end of MIME multi-part stream when uploading from Flex FileReference
  25. ASP.NET WebApi vs MVC? [closed]
  26. AutoMapper.Mapper does not contain definition for CreateMap
  27. Unable to get windows authentication to work through local IIS
  28. Routing in Asp.net Mvc 4 and Web Api
  29. ASP.Net WebAPI area support
  30. WebAPI CORS with Windows Authentication – allow Anonymous OPTIONS request

Leave a Comment