CORS support

Topics: blog, faq
Nov 8, 2010 at 1:51 PM

Hi,

How can I make a webserver to support CORS (Cross Origin Resource Sharing) ?

Do I need to add the extra header(s) like: 

Access-Control-Allow-Origin: * 

If so, I would be great if someone has a small example how to add such header (just a line or 2)

I have a working server but it does not work with CORS. Below is a snippet as the full code is too long. The code I am working with is working fine, but I cannot get CORS working with it. Do I need to insert the above mentioned header at the comment in the snippet (allow CORS per reply) or should/can I add the header as general header somewhere when the server is initialized ?

// in initialisation
server.RequestReceived += ServerRequestReceived;

// 
void ServerRequestReceived(object sender, RequestEventArgs e)
{
   try
   {
        // ...
        // ... implementation
        // ...


        // >> INSERT HEADER ???


        e.Response.ContentType.Value = "text/xml";
        e.Response.Body.Write(buffer, 0, buffer.Length);


Thanks in advance for helping


Nov 8, 2010 at 2:35 PM

Hi,

I just started using this Project, but have you tried using:

e.Response.Add(new StringHeader("Key", "Value");

I am not sure if StringHeader is the right class to use, but there are several others in the Project under the Namespace "HttpServer.Headers.*" like NumericHeader, DateHeader, .....

Regards
HyperteX

Nov 8, 2010 at 2:42 PM

HyperteX

Thanks for quick reply. I did not try your option yet, but I will give it a try. I

I am also not sure what exactly to add, and where... that's why I asked the question.

It might also be that CORS is already default supported, but I did not find any info on the site here.

Dec 7, 2010 at 11:03 AM

For those people who like to know about CORS too I add my solution here.

adding the following allows CORS complient AJAX calls (if the browser also supports it)

e.Response.Add(new HttpServer.Headers.StringHeader("Access-Control-Allow-Origin","*");
e.Response.Add(new HttpServer.Headers.StringHeader("Access-Control-Allow-Methods","GET, POST, ORIGIN");
e.Response.Add(new HttpServer.Headers.StringHeader("Access-Control-Allow-Headers","X-Requested-With");
e.Response.Add(new HttpServer.Headers.StringHeader("Access-Control-Max-Age","86400");
In another webserver than mentioned above, I had to add slighty different

base.Response.AddHeader("Access-Control-Allow-Origin","*");
base.Response.AddHeader("Access-Control-Allow-Methods","GET, POST, ORIGIN");
base.Response.AddHeader("Access-Control-Allow-Headers","X-Requested-With");
base.Response.AddHeader("Access-Control-Max-Age","86400");

I have two web servers both based on the C# web server. Both can have their own IP address and port number but they might be in the same IP, with only a different port number.

Without the CORS headers I could not browse the index.html page from one server and inside that page, use AJAX to get data from the second server. With the CORS headers I can do that without any problem. The browser used is Safari (iPod version 3.1.3) which supports the CORS headers.

Dec 27, 2010 at 6:39 AM

I just see I made a mistake in my additional headers

"Access-Control-Allow-Methods","GET, POST, ORIGIN");

must be

"Access-Control-Allow-Methods","GET, POST, OPTIONS");

Jul 25, 2011 at 12:13 PM
Edited Jul 25, 2011 at 12:14 PM
barts2108 wrote:

I just see I made a mistake in my additional headers

"Access-Control-Allow-Methods","GET, POST, ORIGIN");

must be

"Access-Control-Allow-Methods","GET, POST, OPTIONS");

Where you added these changes? 
It seems it is in this overriden method? 
server.RequestReceived += OnRequest;
...
private static void OnRequest(object sender, RequestEventArgs e)
{
...// Here ?
}
Jul 25, 2011 at 12:50 PM

Exactly. At your //Here? comment. In your case you should use the lines with e.Response

e.Response.Add(new HttpServer.Headers.StringHeader("Access-Control-Allow-Origin","*");
e.Response.Add(new HttpServer.Headers.StringHeader("Access-Control-Allow-Methods","GET, POST, OPTIONS");
e.Response.Add(new HttpServer.Headers.StringHeader("Access-Control-Allow-Headers","X-Requested-With");
e.Response.Add(new HttpServer.Headers.StringHeader("Access-Control-Max-Age","86400");

Using this already for some months now and it works very well. Please keep in mind that "*" maybe is not wise to use in public webservers. Then a more resrictive allow-origin could be set