Web API 2 - CORS only works over HTTPS (not HTTP)

1.7k views Asked by At

All,

I have a really simple Web API 2 project that I'm working on. For some reason I cannot get CORS to work properly unless I put it in the web.config file. I followed the instructions on the MSDN article and this ASP.NET article, but I must be missing something.

Global.asax.cs

protected void Application_Start()
{
    WebApiConfig.Register(GlobalConfiguration.Configuration);
}

WebApiConfig.cs

public static void Register(HttpConfiguration config)
{
    config.EnableCors(new EnableCorsAttribute("*","*","*"));

    config.MapHttpAttributeRoutes();
}

JavaScript

    $.ajax({
        url: '//myapidomain.com/buildings'
    }).done(function (data) {
        var theList     = $('.buildings'),
            theListHTML = "",
            response    = JSON.parse(data);

        $.each(response.Buildings.Data, function () {
            theListHTML += '<li>' + this.Description + '</li>';
        });
        theList.html(theListHTML);
    });

I've looked at just about every single Stack Overflow (such as this one) and MSDN forum post (like this one), and from what I can tell, this should be working. The app is hosted on an IIS 8 server running 4.0.

Update

It appears to be something with the request itself (or rather IIS configuration). If I send the request over HTTP, then it fails (no access-control headers get sent back). However, if I request it over HTTPS, everything works fine.

Solution

Our hosting environment was intercepting the non-HTTPS requests and forcing them to HTTPS. When it does this it returns a 304 which jQuery's method doesn't know how to handle. The solution is either to just always make the request over HTTPS (preferred) OR to handle this situation yourself/find an alternative library/plugin that handles this scenario.

1

There are 1 answers

0
Joel Kinzel On BEST ANSWER

Solution

Our hosting environment was intercepting the non-HTTPS requests and forcing them to HTTPS. When it does this it returns a 304 which jQuery's method doesn't know how to handle. The solution is either to just always make the request over HTTPS (preferred) OR to handle this situation yourself/find an alternative library/plugin that handles this scenario.