Setting Up CORS - Sage/argos-sdk GitHub Wiki
There are a number of ways to enable a site to support Cross-Origin Resource Sharing (CORS).
With An IHttpModule
A sample IHttpModule to enable CORS can be found here: https://gist.github.com/4113849.
With ISAPI Rewrite
-
Install ISAPI_Rewrite Lite v3.
-
At root of website, create an empty
options.txt
.- If your website uses authentication, placing this file outside of your website is a good idea. That way the OPTIONS request doesn’t need to worry about authentication.
-
Go to the IIS Manager.
-
Select the website where you placed options.txt.
-
Depending on your version of IIS
- IIS7
- Click on Content View at the bottom.
- In the list, right click on
options.txt
and choose Switch to Features View. - Go into HTTP Response Headers.
- IIS6
- In the content pane, right click on
options.txt
and go to Properties. - Go into the HTTP Headers tab.
- In the content pane, right click on
- IIS7
-
Add the appropriate headers:
Access-Control-Allow-Origin
: *Access-Control-Allow-Methods
: GET, PUT, POST, DELETE, OPTIONSAccess-Control-Allow-Headers
: X-Requested-With, Authorization, X-Authorization, X-Authorization-Mode, User-Agent, Accept, Content-Type, If-Match, Cookie- Note: You MUST specify headers. A wildcard does not appear to work.
Access-Control-Max-Age
: 1728000- Note: Although this is supposed to tell the browser to cache the preflight response, it does not appear to currently be supported.
Access-Control-Allow-Credentials
: true- Note: If using native XMLHttpRequest credentials, this will require an actual domain to be specified in the
Access-Control-Allow-Origin
header, and not a wildcard.
- Note: If using native XMLHttpRequest credentials, this will require an actual domain to be specified in the
-
A couple more header needs to be added, but instead of adding it to a file, we need to add it to the website that is serving the cross domain request. Follow the procedure as before to add the following header to the website.
Access-Control-Allow-Origin
: *Access-Control-Allow-Credentials
: true- Note: If using native XMLHttpRequest credentials, this will require an actual domain to be specified in the
Access-Control-Allow-Origin
header, and not a wildcard.
- Note: If using native XMLHttpRequest credentials, this will require an actual domain to be specified in the
-
Open up the ISAPI_Rewrite Manager.
-
Choose to Edit the configuration.
-
Add the following rules:
RewriteCond %{REQUEST_METHOD} OPTIONS RewriteCond %{REQUEST_URI} \/sdata\/ RewriteCond %{HTTP:Origin} .+ RewriteRule (.*) /options.txt RewriteCond %{REQUEST_METHOD} OPTIONS RewriteCond %{REQUEST_URI} \/sdata\/ RewriteCond %{HTTP:Origin} .+ RewriteHeader METHOD OPTIONS GET
-
Apply the configuration.