[SOLVED] CORS and Preflight (OPTIONS) response codes in case of authorization error

CORS and Preflight (OPTIONS) response codes in case of authorization error

In a Preflight request which codes should I use for authorization errors?

I mean, I can have two different types of unauthorized error:

User can't run a preflight (OPTIONS method is handled - so I think I should not use 405 - but user is not authorized to ask for OPTIONS)
User does not have the rights to call the requested method (specified by Access-Control-Request-Method)

Solution

I had a similar setup that was showing 405 errors and 500 errors as I was attempting to get CORS running on my web service. My fix basically needed a response.End() call if the Request was the pre-flight OPTIONS method. The web.config web handlers found in the CORS documentation was fine, as long as the OPTIONS was included in the list of allowed calls. I did NOT need to move any of the customer handlers into code.

Basically, my fix/setup includes this ONE MAJOR FIX in my ApplicationOnBeginRequest handler:

private void ApplicationOnBeginRequest( object sender, EventArgs eventArgs )
    {
...
            if ( context.Request.HttpMethod == "OPTIONS" )
                response.End();
        }

and these handlers in my web.config:

<system.webServer>
    <!--Other handlers/modules ...-->
    <httpProtocol>
        <customHeaders>
            <clear />
            <add name="Access-Control-Allow-Origin" value="*" />
            <add name="Access-Control-Allow-Credentials" value="true" />
            <add name="Access-Control-Allow-Headers" value="Content-Type,Accept" />
            <add name="Access-Control-Allow-Methods" value="GET,POST,PUT,DELETE,OPTIONS" />
        </customHeaders>
    </httpProtocol>
   </system.webServer>