CORS Post With Preflight Request
Solution 1:
Unfortunately, POSTing to a domain other than your page's elicits CORS. That also includes different subdomains, ports and protocol (http/https).
Preflight is done when the request is "not simple", meaning, a content-type header set to something other than "text/plain". Your "application/json" makes browsers get scared into preflighting.
If those 50-200 ms are important to you, then you can rewrite your web service to understand the "simple" content type. If not, then you should make your web service throw back HTTP status 204 (no content) when it is tasked with OPTIONS (http method).
When dealing with a wcf:
WebOperationContext.Current.OutgoingResponse.StatusCode = System.Net.HttpStatusCode.NoContent;
Solution 2:
The subdomains are different. As far as CORS is concerned the subdomain, protocol and port have to be identical in the Origin and the Access-Control-Allow-Origin.
In your example it looks like the origin is: https://www.example.com and the Access-Control-Allow-Origin is: https://files.example.com
Solution 3:
Try adding Cache-Control and Pragma to the list of allowed headers in the preflight. The full header should look like this:
Access-Control-Allow-Headers: Cache-Control, Pragma, Origin, Authorization, Content-Type
Solution 4:
It's little late, but looking at your info it shows the pre-flight CORS check works OK, it's just the actual (2nd) CORS request where the response gets blocked by the browser.
It's a pity you didn't include the response for the actual (2nd) CORS request because that might have contained the clue for the response rejection. My suspicion is that although the pre-flight response correctly contains the header:
Access-Control-Allow-Origin:*
... your actual (2nd) response might not have contained that header, in which case the browser correctly rejects the response. If my assumption is true, the solution would be to just include this header also in the actual (non pre-flight) response.
Post a Comment for "CORS Post With Preflight Request"