CODEWITHSUNDEEP
javascriptc#asp.net-web-apicross-domaincors
prawn
prawn

Reputation: 2653

Web API controller does not respect CORS origin

I recently implemented cors into my Web API controller. I am calling the web api located on domain1 from a client on domain2.

For the origin, I specified a bogus url. To my understanding, only calls from this url will be accepted. Is this correct?

So only calls from

 http://notgoingtowork.com

will be able to call the controller and return data

Here is my controller (domain1)

public class TestController : ApiController
{
    [EnableCors(origins: "http://notgoingtowork.com", headers: "*", methods: "*")]
    public int Get()
    {
       return 1
    }
}

And then on my other domain, the ajax call (domain2)

   $.ajax({
            url: "http://domain1/api/Test/Get", 
            method: "GET", 
            headers: { "accept": "application/json;odata=verbose" },
            success: function (data){alert("it worked");},
            error: function (error) { alert("Did not work"); }
        })

However, the request still is successful and is returning data. As the client is not on 'http://notgoingtowork.com', how is it able to successfully do this? What am I missing?

I am doing this on IE11. This works fine on chrome.

EDIT: Here is the WebApiConfig.cs file It is pretty generic. I just added the Cors part

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        config.EnableCors();
        config.MapHttpAttributeRoutes();

        config.Routes.MapHttpRoute(
            name: "DefaultApi",
            routeTemplate: "api/{controller}/{id}",
            defaults: new { id = RouteParameter.Optional }
        );
    }
}

Upvotes: 1

Views: 197

Answers (1)

Marian Ban
Marian Ban

Reputation: 8168

there is a setting "Access data sources across domains" in IE 11, make sure if it is disabled: enter image description here

Upvotes: 1

Related Questions