CORS issue with Sitefinity 9.1 No 'Access-Control-Allow-Origin'
Hello everyone,
We were trying to enable CORS on our Staging server and no matter what setting we enable or tweak in our security layer it appears the CORS functionality is not working with Sitefinity although its apparently enabled.
To ensure it was not a problem with the configuration on the Staging server, I downloaded the latest Sitefinity Empty SampleProject found here: github.com/.../release91 and I was able to reproduce the exact same problem locally.
Attached you will find two screenshots.
WebRequest with Error.png will show you the entire debug window from the developer tools from within Google Chrome.
WebService options.png shows you the options set against that specific web service and showing CORS is enabled.
Also with a direct quote from the official Sitefinity Documentation on CORS: docs.sitefinity.com/define-the-access-permissions
"Enter *
Every request from every domain will be allowed. We do not recommend this, because there may be malicious users who would try to exploit the service. We recommend to specify only domains that are trusted."
Hopefully this can be addressed and thanks to anyone who has any information or suggestions on this issue.
Was there any feedback at all on this? I am having the same issue with both 9.1 and in 9.2.
Hi Kevin,
You can enable CORS for specific locations with web.config:
<
location
path
=
"api/something"
>
<
system.webServer
>
<
httpProtocol
>
<
customHeaders
>
<
add
name
=
"Access-Control-Allow-Origin"
value
=
"*"
/>
</
customHeaders
>
</
httpProtocol
>
</
system.webServer
>
</
location
>
First, thank you for the response!!!
Is the <location> tag needed? Not sure what that is... also this should go in between <configuration> tags?
Hi Victor, can you confirm Kevin's reply? We just had an issue where the rocketship loaded but in watching the network trace we would get the CORS error. Manually restarting the website in IIS cleared it up.
Location tag is just limiting the rule.
If you want to apply CORS rule (Access-Control-Allow-Origin:*) for all website, you don't need to specify location tag.
If you want to apply it only for specific URLs, you need to specify location.
You can check details in msdn: msdn.microsoft.com/.../b6x6shw7(v=vs.71).aspx