We ran into this problem because we had set up CORS according to best practice (e.g. http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api) AND ALSO had a custom header <add name="Access-Control-Allow-Origin" value="*"/>
in web.config.
Remove the web.config entry, and all is well.
Contrary to @mww’s answer, we still have EnableCors()
in the WebApiConfig.cs AND an EnableCorsAttribute
on the controller. When we took out one or the other, we ran into other issues.