CORS support for PUT and DELETE with ASP.NET Web API

Nathan Taylor picture Nathan Taylor · Sep 20, 2012 · Viewed 49.6k times · Source

I am working with the final version of ASP.NET Web API to implement a JavaScript-friendly API. Per various tutorials, I have enabled CORS in my web.config:

<system.webServer>
 <httpProtocol>
  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Headers" value="Content-Type" />
  </customHeaders>
 </httpProtocol>
</system.webServer>

With the above, cross-domain GET and POST requests work fine, but PUT and DELETE requests both fail.

In Chrome:

Method PUT is not allowed by Access-Control-Allow-Methods.

Method DELETE is not allowed by Access-Control-Allow-Methods.

Is there something additional required to get PUT and DELETE verbs working cross-domain?

Answer

Nathan Taylor picture Nathan Taylor · Sep 21, 2012

It looks like adding another custom header sorted it out:

<system.webServer>
 <httpProtocol>
  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Headers" value="Content-Type" />
    <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
  </customHeaders>
 </httpProtocol>
</system.webServer>