aspnetcore-realworld-example-app
aspnetcore-realworld-example-app copied to clipboard
CORS and pre-flight OPTIONS requests.
Are OPTIONS action needed for CORS pre-flight requests?
See here: https://github.com/Dotnet-Boxed/Templates/blob/master/Source/Content/ApiTemplate/Controllers/CarsController.cs#L24-L64
/// <summary>
/// Returns an Allow HTTP header with the allowed HTTP methods.
/// </summary>
/// <returns>A 200 OK response.</returns>
[HttpOptions]
[SwaggerResponse(StatusCodes.Status200OK, "The allowed HTTP methods.")]
public IActionResult Options()
{
this.HttpContext.Response.Headers.AppendCommaSeparatedValues(
HeaderNames.Allow,
HttpMethods.Get,
HttpMethods.Head,
HttpMethods.Options,
HttpMethods.Post);
return this.Ok();
}
/// <summary>
/// Returns an Allow HTTP header with the allowed HTTP methods for a car with the specified unique identifier.
/// </summary>
/// <param name="carId">The cars unique identifier.</param>
/// <returns>A 200 OK response.</returns>
[HttpOptions("{carId}")]
[SwaggerResponse(StatusCodes.Status200OK, "The allowed HTTP methods.")]
public IActionResult Options(int carId)
{
this.HttpContext.Response.Headers.AppendCommaSeparatedValues(
HeaderNames.Allow,
HttpMethods.Delete,
HttpMethods.Get,
HttpMethods.Head,
HttpMethods.Options,
HttpMethods.Patch,
HttpMethods.Post,
HttpMethods.Put);
return this.Ok();
}
I think maybe they are only needed for swagger doc.
Wait no... I think you have to manually have this to respond to OPTIONS requests and that is not built into MVC. Why dont we have these?
Browsers do preflight checks but it wasn't part of the API spec (or I didn't see it when I originally did the work). PRs welcome.
Do we have help-wanted or up-for-grabs labels?
https://github.com/aspnet/Docs/issues/7268#issuecomment-446595339