I am having some trouble allowing CORS OPTIONS requests from a website that I am working on. After doing some research I was under the impression that the following things needed to be in place in order for CORS OPTIONS requests to work:
Under the HTTP Headers Tab have the following:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,DELETE,OPTIONS
Access-Control-Allow-Headers: x-requested-with, cache-control, content-type, origin
Under the Home Directory tab set Execution Permissions to Scripts Only
or Scripts and Executables
.
I have done all of this, but when I try to submit the following request I get a 403.1 error:
Request URL:https://mystaging.verbalink.com/Secure/File/Handler.ashx?Id=9070c032-cced-4155-af29-6f6df476598d,c606c3c8-d06f-43ce-ab25-0614b0142659
Request Method:OPTIONS
Status Code:403 Forbidden
Request Headers
OPTIONS /Secure/File/Handler.ashx?Id=9070c032-cced-4155-af29-6f6df476598d,c606c3c8-d06f-43ce-ab25-0614b0142659 HTTP/1.1
Host: mystaging.verbalink.com
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://mystaging.verbalink.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.43 Safari/537.31
Access-Control-Request-Headers: cache-control, origin, x-requested-with, content-type
Accept: */*
Referer: http://mystaging.verbalink.com/Secure/File/MultiUpload2.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Query String Parametersview sourceview URL encoded
Id:9070c032-cced-4155-af29-6f6df476598d,c606c3c8-d06f-43ce-ab25-0614b0142659
Response Headers
HTTP/1.1 403 Forbidden
Allow: OPTIONS, TRACE, GET, HEAD, POST
Content-Length: 1758
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Access-Control-Allow-Methods: POST,DELETE,OPTIONS
Access-Control-Allow-Headers: x-requested-with, cache-control, content-type, origin
Access-Control-Allow-Origin: *
Public: OPTIONS, TRACE, GET, HEAD, POST
Date: Mon, 08 Apr 2013 20:19:10 GMT
Does anyone see anything wrong with the way I have IIS configured that could cause this error?
Best Answer
In IIS Manager, right click on the website and select Properties. Switch to the Home Directory tab, and click the Configuration button. In the list of application extensions, locate the extension that your web service uses (e.g. .svc for WCF, .asmx for ASP.NET web services), select it, and click the Edit button. In the Limit To field, make sure that OPTIONS is included in the comma-separated list.
Then click OK until the dialog boxes have all closed, and that should be it.