2

I'm having a problem setting a content-type of application/json header on my post request.

    saveUpdates(alltabs: AllTabs): Observable<Response> {
            let api = this.host + this.routes.save;
            let headers = new Headers();
            headers.append('Content-Type', 'application/json');

            return this._http.post(api, JSON.stringify(alltabs), { headers: headers })
            .map((response: Response) => <Response>response.json())
            .do(data => console.log("saveUpdates(): " + data))
            .catch(this.handleError);
    }

Request Headers:

OPTIONS /api/productsave HTTP/1.1
Host: wbtest:92
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: POST
Origin: http://localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Referer: http://localhost:3000/product/60000010080
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

Response Headers:

HTTP/1.1 405 Method Not Allowed
Cache-Control: no-cache
Pragma: no-cache
Allow: POST
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Access-Control-Allow-Origin: *
Date: Tue, 14 Jun 2016 15:16:15 GMT
Content-Length: 76

As you can see, my request has two unexpected headers added "Access-Control-Request-Headers" and "Access-Control-Request-Method". This seems to suggest an issue with CORS (Cross-Origin Resource Sharing). However, the web.conf file on the API server has been working and the response headers states "Access-Control-Allow-Origin: *".

Any idea what could be wrong?

UPDATE:

The above code is correct - the problem is with the Sever code not being configured to handle preflight requests. In my case, the .NET Web API 2 application was not configured to allow CORS.

Improve this question

1 Answer 1

Reset to default
3

With CORS, you have two kinds of requests. As a matter of fact, the CORS specification distinguishes two distinct use cases:

  • Simple requests. This use case applies if we use HTTP GET, HEAD and POST methods. In the case of POST methods, only content types with the following values are supported: text/plain, application/x-www-form-urlencoded and multipart/form-data.
  • Preflighted requests. When the "simple requests" use case doesn't apply, a first request (with the HTTP OPTIONS method) is made to check what can be done in the context of cross-domain requests.

It seems that your server isn't configured to support preflighted request. The reason for the 405 status code (405 Method Not Allowed).

See this article for more details:

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I think you're correct (Chrome does state "Response for preflight has invalid HTTP"), but adding "<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />" and "<add name="Access-Control-Allow-Headers" value="Content-Type" />" to my web.conf still gives the same issue.
I don't know what you use for your server but generally there are things to do. For example with Node, you need to define a middleware in Express to handle OPTIONS methods. See npmjs.com/package/cors
Thanks Thierry. It seems our .NET Web API 2 application was not configured to handle preflight requests.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.