OPTIONS 405 (Method Not Allowed) regardless server sends Access-Control-Allow-Methods:OPTIONS, GET, HEAD, POST

Asked 8/11, 2012 at 11:14 Answered 3/11, 2016 at 14:58

javascript sencha-touch cross-domain cors jqxhr

I'm trying to make cross-domain request and my server is configured to send the following headers:

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:x-requested-with, Authorization
Access-Control-Allow-Methods:OPTIONS, GET, HEAD, POST
Access-Control-Allow-Origin:*

But when an OPTION request is made, I get OPTIONS 405 (Method Not Allowed) error.

Any Ideas what is the problem and how to fix it?

Tidewater answered 8/11, 2012 at 11:14 Comment(1)

Possible duplicate of Access-Control-Allow-Origin Multiple Origin Domains? – Exteroceptor 14/11, 2016 at 11:44

I would suggest 2 solutions:

1) If you are using WebAPI you need to implement the option method that by convention should look like:

public class XXXController : ApiController
{
    // OPTION http-verb handler
    public string OptionsXXX()
    {
        return null; // HTTP 200 response with empty body
    }

    ...
}

2) If you are not using WebAPI try to understand which part of your code triggers the OPTIONS 405 (Method Not Allowed) error for the OPTION call. In that case I would check if trying to add to the Web.config file these <customHeaders/> that works:

<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <!-- CORS temporary solution -->
        <add name="Access-Control-Allow-Origin" value="*" />
        <add name="Access-Control-Allow-Headers" value="Content-Type, Authorization, Accept, X-Requested-With" />
        <add name="Access-Control-Allow-Methods" value="OPTIONS, TRACE, GET, HEAD, POST, PUT" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

Hannis answered 8/2, 2013 at 0:45 Comment(0)

Your web server / application may been configured to send the mentioned response header for every HTTP GET verb and POST verb requests. But is your web server configured to handle HTTP OPTIONS Verb?

If you need more details, please provide the webserver and application programming technology you are using.

A little background, Browsers send an OPTIONS Request when you have a cross domain request with some custom request headers. This request is made before the actual request. The browser will make the actual request only if this request comes back with the response header you have mentioned.

// These OPTIONS request are called preflight requests -- generally browsers dev tools dont track them in their network tab.f

Chide answered 8/11, 2012 at 18:3 Comment(4)

Thanks for your comment. The server is IIS 7. How do I configure it to handle OPTIONS? – Tidewater 9/11, 2012 at 0:0

Sounds like a good direction. Can you please provide some recommended link about how to handle HTTP Options verb? – Balsam 27/8, 2014 at 13:55

@Balsam shortest explanation to handle options verb is explained in https://mcmap.net/q/335831/-handling-cors-preflight-requests-to-asp-net-mvc-actions - for more details on how to web api < 2 and asp.net mvc in generat check this codeguru.com/csharp/.net/net_asp/… . For web api 2 check asp.net/web-api/overview/security/… – Chide 27/8, 2014 at 14:12

This last comment finally solved my problem for webapi 2: Install-Package Microsoft.AspNet.WebApi.Cors and httpEnableConfig.EnableCors() – Barmaid 13/4, 2015 at 19:5

You would need to modify default OPTIONSVerbHandler. If using asp classic, that would mean adding following lines to your Web.config file:

    <handlers>
        <remove name="OPTIONSVerbHandler" />
        <add name="OPTIONSVerbHandler" path="*" verb="OPTIONS" modules="IsapiModule" scriptProcessor="C:\Windows\System32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="None" />
    </handlers>

Skiing answered 3/11, 2016 at 14:58 Comment(0)

Recommended topics

Hot tags