ASP Classic / CORS - Reporting no header when header for CORS is set

Question

Apologies in advance, I'm new to CORS so might be something I am missing.

I'm attempting within my current localhost to setup a CORS from one localhost port to another localhost port. I've confirmed this is possible with two applications built in the same language/framework but I've encountered issues with two different languages / frameworks.

Currently, each localhost port is built like such-

Localhost1: React/.Net C#

Localhost2: React/.Net C#

Localhost3: ASP Classic

I am able to complete CORS between localhost 1 & 2 but I keep getting errors relating to the "Access-Control-Allow-Origin" with my headers when dealing with CORS between localhost2 & localhost 3.

Below is my current ASP Classic File I am trying to post data to, which is being used to confirm that the data is being sent -

<%
Response.AddHeader "Access-Control-Allow-Origin", "*"
Response.AddHeader "Access-Control-Allow-Methods", "POST, OPTIONS"
Response.AddHeader "Access-Control-Allow-Headers", "Content-Type"
Response.AddHeader "Access-Control-Allow-Credentials", "true"

If Request.ServerVariables("REQUEST_METHOD") = "OPTIONS" then
    ' Handling preflight request
    Response.AddHeader "Access-Control-Allow-Origin", "*"
    Response.AddHeader "Access-Control-Allow-Methods", "POST, OPTIONS"
    Response.AddHeader "Access-Control-Allow-Headers", "Content-Type"
    Response.AddHeader "Access-Control-Allow-Credentials", "true"
    Response.Status = 200
    Response.End
End If

' Check if it's a POST request
If Request.ServerVariables("REQUEST_METHOD") = "POST" Then
    Dim requestData, id1
    
    On Error Resume Next
    Set requestData = JSONParse(Request.Form("data")) ' Assuming "data" is the key where JSON is sent
    On Error Goto 0 ' Re-enable default error handling
    
    If Err.Number <> 0 Then
        ' Handle JSON parsing errors
        Response.Status = 400 ' Bad Request
        Response.Write "Error while parsing JSON: " & Err.Description
        Response.End
    End If
    
    id1 = requestData("id1")
    
    If id1 = "" Or Not IsNumeric(id1) Then
        ' Invalid or missing data in the JSON payload
        Response.Status = 400 ' Bad Request
        Response.Write "Invalid or missing ID data"
        Response.End
    Else
        ' Respond with a confirmation message
        Response.AddHeader "Content-Type", "application/json" ' Set appropriate Content-Type
        Response.Write "{ ""message"": ""Received the data successfully"" }" ' Respond with JSON confirming data receipt
        Response.End
    End If
Else
    ' Handling non-POST requests
    Response.Status = 405 ' Method Not Allowed
    Response.Write "Only POST requests are allowed"
    Response.End
End If
%>

Below is the message I get when looking at the devTools/issues within Chrome.

What am I missing / how can I fix this?

Thanks in advance for any help :)

Side note- Yes I know that * is a security issue, I am just using the wild card for testing purposes.

Answer 1

I found my issues.

I had to setup the CORS headers within my HTTP Headers section within IIS to allow the to allow the CORS to post to my localhost rather than setup the details within a singular file of the ASP classic code.

I believe this is due to being a server level issues rather than a code related issue.

Answer 2

This will happen due to IIS short-circuiting the request before it reaches the ASP page.

By default the Classic ASP ISAPI Handler will only accept GET, HEAD and POST as valid HTTP verbs and using other verbs like OPTIONS will result in an HTTP status response of 405 Method Not Allowed. To use OPTIONS you will need to edit the HTTP Handler for the ASPClassic IsapiModule in the Handler Mappings for the Classic ASP Website in IIS (see image below)

and add OPTIONS to the comma-delimited list of allowed verbs.