I am working with the final version of ASP.NET Web API to implement a JavaScript-friendly API. Per various tutorials, I have enabled CORS in my web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
</customHeaders>
</httpProtocol>
</system.webServer>
With the above, cross-domain GET and POST requests work fine, but PUT and DELETE requests both fail.
In Chrome:
Method PUT is not allowed by Access-Control-Allow-Methods.
Method DELETE is not allowed by Access-Control-Allow-Methods.
Is there something additional required to get PUT and DELETE verbs working cross-domain?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
It looks like adding another custom header sorted it out:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
</customHeaders>
</httpProtocol>
</system.webServer>
Method 2
Also, in addition to Nathan answer, make sure you disabled WebDAV IIS module and set runAllManagedModulesForAllRequests="true" setting in the web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<remove name="WebDAVModule"/>
</modules>
<handlers>
<remove name="WebDAV" />
</handlers>
</system.webServer>
Without this, preflight CORS requests (which are used for PUT, DELETE methods and send additional OPTIONS request) will not work.
Method 3
Very simple solution to overcome CORS Issue in WEBAPI2.2.
Add the following in you WebApi Config File.
var cors = new EnableCorsAttribute("*", "*", "*");
Config.EnableCors(cors);
Before adding this make sure you remove the custom header in the Web.config file.
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Credentials" value="true" />
<add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept, X-Token" />
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
If you have both customheader as well the CORS enabled in WebApiconfig, you will face the cors error.
Add the cors enabled in WebApi config will solve the issue.
Method 4
Please use this in web.config while you deployed your application,dont use in local web.config
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
</customHeaders>
</httpProtocol>
<ModSecurity enabled="false" configFile="C:inetpubwwwrootowasp_crsmodsecurity.conf" />
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
Method 5
Try to comment the line: <remove name="OPTIONSVerbHandler" /> in <handlers> tag
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0