Hello,
On both our local installation, and at https://demo.octopusdeploy.com, no Access-Control-Allow-Origin header is being returned from the server when trying to access the REST API. For example, if I send the following request:
OPTIONS https://demo.octopusdeploy.com/api/dashboard HTTP/1.1
Host: demo.octopusdeploy.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: GET
Origin: https://localhost.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: */*
Referer: https://localhost.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Then the headers I get back are:
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Allow: GET
Content-Type: text/html
Content-Encoding: gzip
Server: Octopus Deploy/ Microsoft-HTTPAPI/2.0
X-UA-Compatible: IE=edge
X-Frame-Options: DENY
Date: Tue, 20 Sep 2016 16:41:20 GMT
It is interesting that the Allow header is properly returned, though.
Thanks,
Dave