I'm using jquery to make an ajax call to an asp.net Web API method that uses an authorization token for authenticating requests. Here is the ajax call:
$.ajax({
url: targetUrl,
type: 'GET',
beforeSend: function(xhr){
xhr.setRequestHeader("Authorization", "Basic " + btoa(token + ":" + password));
},
success: function (data) {
// do stuff
}
});
This call is resulting in an 405 Method Not Allowed for the OPTIONS method. Which seems to be an issue with CORS support on the Web API.
But, the Web API method works as expected if called from a simple .NET console app:
HttpWebRequest req = (HttpWebRequest)HttpWebRequest.Create(url);
req.Headers[HttpRequestHeader.Authorization] = "Basic " + token + ":" + password;
HttpWebResponse res = (HttpWebResponse)req.GetResponse();
It also works if called from Fiddler.
If the Web API method does not support CORS, why do these other calls work? Am I missing something in my jQuery call?
P.S. I do not have access to the Web API code base.
Thanks in advance for the help!
why do these other calls work?
Because the other calls are not being made from JavaScript running in a web page being visited by the browser on the client computer. They are made by software that has been explicitly installed on the client computer.
The Same Origin Policy is there to stop Website A using User B's browser to request data from Website C using User B's credentials.
CORS is a way for Website C to tell the browser that it can relax the Same Origin Policy.
Since the Same Origin Policy doesn't apply outside the browser, the preflight OPTIONS request that the CORS spec requires isn't even sent in your other tests.