{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 冷血范 的问题《ServiceStack, CORS, and OPTIONS (No Access-Control》','https://www.manongdao.com/q-834537.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
We're hitting a bit of a snag with CORS features of a restful API in ServiceStack 4.
We want to be sneding cookies to the api since the SS session is in the cookies, so we make AJAX calles with "WithCredentials" = true in our angular clients that hit the API.
Since Chrome (at least) doesn't like Access-Control-Allow-Origin wildcards with WithCredentials, we've added a pre-request filter to echo back the requester's origin in the Access-Control-Allow-Origin header like so:
private void ConfigureCors()
{
Plugins.Add(new CorsFeature(
allowedHeaders: "Content-Type",
allowCredentials: true,
allowedOrigins: ""));
PreRequestFilters.Add((httpReq, httpRes) =>
{
string origin = httpReq.Headers.Get("Origin");
if (origin != null)
{
httpRes.AddHeader(HttpHeaders.AllowOrigin, origin);
}
else
{
// Add the dev localhost header.
httpRes.AddHeader(HttpHeaders.AllowOrigin, "http://localhost:9000");
}
});
PreRequestFilters.Add((httpReq, httpRes) =>
{
//Handles Request and closes Responses after emitting global HTTP Headers
if (httpReq.Verb == "OPTIONS")
{
httpRes.EndRequest();
}
});
}
However, we're hitting a snag on OPTIONS requests, because the SS service is not emitting the Access-Control-Allow-Origin header back when the request is ended. This makes Chrome reject the call.
We tried putting an explicit header inside the pre-request filter for OPTIONS, but it still doesn't return an ACAO header for OPTIONS calls:
PreRequestFilters.Add((httpReq, httpRes) =>
{
//Handles Request and closes Responses after emitting global HTTP Headers
if (httpReq.Verb == "OPTIONS")
{
httpRes.AddHeader(HttpHeaders.AllowOrigin, "*");
httpRes.EndRequest();
}
});
It seems like this must have been dealt with before, but we couldn't find anything quite like this on StackOverflow.
Are we doing something wrong with the OPTIONS pre-request filter? Why does it not return an Access-Control-Allow-Origin header?
You should add the whitelisted domains in the
allowOriginWhitelist, e.g:There was an issue introduced in v4.0.35 where as PreRequestFilters were being written in Custom HttpHandlers this caused the CorsFeature to write out the Access-Control-Allow-Origin header twice causing browsers to reject it. This has now been resolved in this commit which is available from v4.0.36+ that's now available on MyGet.
This latest version has been deployed to the http://test.servicestack.net demo which shows cross-domain authentication with ServiceStack in this jsbin: http://jsbin.com/korijigucu/1/edit
Source code for the CorsFeature registration in above Test project:
Note: Updating to 4.0.36 resolved the doubled-header issue described below, rendering the second pre-request filter obsolete.
I finally got this to work, but it feels like a kludge.
I added the allowOriginWhitelist entry as Demis suggested, which was returning doubled values for the header (
Access-Control-Allow-Origin:http://localhost:9000), at least for OPTIONS calls (it appears to work fine for POST and GET):So I added the following pre-request filter, based on the earlier filter we were using:
This has resolved the issue, but it feels like a kludge. Does anyone know why this simple code would produce doubled ACAO headers in the response?