Enabling CORS in IIS7 Web Application

Cross-origin HTTP request are restricted to (from MDN)

  • The only allowed methods are:
    • GET
    • HEAD
    • POST
  • The only allowed values for the Content-Type header are:
    • application/x-www-form-urlencoded
    • multipart/form-data
    • text/plain

I needed to grant a local web application the ability to POST JSON-formatted data, which is clearly beyond the Content-Type restrictions above.

Without modifying the application, I noticed OPTION requests instead of POST requests to the local URL.

As it turns out, an OPTIONS request is sent before a cross-origin POST (if it is not a “simple” request) to check whether the webserver allows a POST, given origin, method, content type, and HTTP headers:

Preflighted requests

Unlike simple requests (discussed above), “preflighted” requests first send an HTTP request by the OPTIONS method to the resource on the other domain, in order to determine whether the actual request is safe to send.  Cross-site requests are preflighted like this since they may have implications to user data.

Fortunately, a single thread on SO helped me enable CORS but simply editing the application’s web.config file. The <system.webServer> section needs to contain the following lines:

  <modules runAllManagedModulesForAllRequests="true">
    <remove name="WebDAVModule"/>
      <add name="Access-Control-Allow-Origin" value="*" />
      <add name="Access-Control-Allow-Methods" value="GET,POST,OPTIONS" />
      <add name="Access-Control-Allow-Headers" value="Content-Type" />

The <remove> entry disables the standard handler (WebDAV) for the OPTIONS verb . The <customHeaders> section contains all allowed HTTP header (Access-Control-Allow-*), and Access-Control-Allow-Headers specifies that JSON is recognized as valid Content-Type.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.