Setting Up CORS - Sage/argos-sdk GitHub Wiki

There are a number of ways to enable a site to support Cross-Origin Resource Sharing (CORS).

With An IHttpModule

A sample IHttpModule to enable CORS can be found here: https://gist.github.com/4113849.

With ISAPI Rewrite

  • Install ISAPI_Rewrite Lite v3.

  • At root of website, create an empty options.txt.

    • If your website uses authentication, placing this file outside of your website is a good idea. That way the OPTIONS request doesn’t need to worry about authentication.
  • Go to the IIS Manager.

  • Select the website where you placed options.txt.

  • Depending on your version of IIS

    • IIS7
      • Click on Content View at the bottom.
      • In the list, right click on options.txt and choose Switch to Features View.
      • Go into HTTP Response Headers.
    • IIS6
      • In the content pane, right click on options.txt and go to Properties.
      • Go into the HTTP Headers tab.
  • Add the appropriate headers:

    • Access-Control-Allow-Origin: *
    • Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS
    • Access-Control-Allow-Headers: X-Requested-With, Authorization, X-Authorization, X-Authorization-Mode, User-Agent, Accept, Content-Type, If-Match, Cookie
      • Note: You MUST specify headers. A wildcard does not appear to work.
    • Access-Control-Max-Age: 1728000
      • Note: Although this is supposed to tell the browser to cache the preflight response, it does not appear to currently be supported.
    • Access-Control-Allow-Credentials: true
      • Note: If using native XMLHttpRequest credentials, this will require an actual domain to be specified in the Access-Control-Allow-Origin header, and not a wildcard.
  • A couple more header needs to be added, but instead of adding it to a file, we need to add it to the website that is serving the cross domain request. Follow the procedure as before to add the following header to the website.

    • Access-Control-Allow-Origin: *
    • Access-Control-Allow-Credentials: true
      • Note: If using native XMLHttpRequest credentials, this will require an actual domain to be specified in the Access-Control-Allow-Origin header, and not a wildcard.
  • Open up the ISAPI_Rewrite Manager.

  • Choose to Edit the configuration.

  • Add the following rules:

      RewriteCond %{REQUEST_METHOD} OPTIONS
      RewriteCond %{REQUEST_URI} \/sdata\/
      RewriteCond %{HTTP:Origin} .+
      RewriteRule (.*) /options.txt
      
      RewriteCond %{REQUEST_METHOD} OPTIONS
      RewriteCond %{REQUEST_URI} \/sdata\/
      RewriteCond %{HTTP:Origin} .+
      RewriteHeader METHOD OPTIONS GET
    
  • Apply the configuration.

Other Resources

http://enable-cors.org/