Access-control-allow-origin headers not being sent with OPTIONS responses from API (3.2.1)

Hi all,

I’m trying to make a request via javascript that causes the following OPTIONS headers for a CORS check to be sent:

OPTIONS /api/projects/Projects-18 HTTP/1.1
Host: octopus.crspmi.local
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Access-Control-Request-Headers: accept, x-octopus-apikey
Accept: */*
Referer: http://localhost/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

However, the server is responding without any CORS information back:

Allow:GET, PUT, DELETE
Content-Encoding:gzip
Content-Type:text/html
Date:Fri, 13 Nov 2015 23:05:56 GMT
Server:Octopus Deploy/ Microsoft-HTTPAPI/2.0
Transfer-Encoding:chunked
X-UA-Compatible:IE=edge

Therefore I cannot access the API from javascript cross site. Is this expected? In a different ticket, it looked like you folks were using the appropriate Nancy code to produce the correct headers back, but I just can’t get it to work.

-Matt Nischan

Also reproducible on 3.2.3.

Hi Matt,

Thanks for getting in touch and for researching the problem first! You need to configure the Octopus Server to enable CORS for the domain(s) you care about:

Octopus.Server.exe configure --webCorsWhitelist=*

Hope that helps.
Mike

Thanks Mike. I will give that a shot.

Is this configuration somewhere in documentation that I missed? I would like to pass it on to my team.

Hi Matt,

No, it’s not a documented feature, though I do see it becoming more common to build augmenting portals as CORS clients over Octopus.

All of the configuration commands are available as help on the Octopus.Server.exe command-line.

Hope that helps.
Mike

Hi Mike,

Thanks for the heads up! I will close this ticket.

Hi!
Is it planned for fixing soon or we need to look for some infrastructure workaround?

Hi!

Thanks for getting in touch. There’s actually nothing that needs fixing on Octopus Server, you just need to configure Octopus Server to enable CORS using the Octopus.Server.exe configure --webCorsWhitelist=<yourwhitelist> command.

Hope that helps!
Mike