Thanks Adrian. I saw that and will try it tonight when I get home (I need to make the service call ssl too). Azurewebsites.net has an ssl certificate, so it should all work once it is end-to-end ssl. On 13 Oct 2015 6:42 pm, "Adrian Halid" <adr...@halid.com.au> wrote:
> http://jeffmcmahan.info/blog/firewall-causes-cors-to-fail/ > > > > The comments in this post suggest using TSL/SSL. The firewall can’t mess > with your headers. > > > > *Regards* > > > > *Adrian Halid* > > > > *From:* ozdotnet-boun...@ozdotnet.com [mailto: > ozdotnet-boun...@ozdotnet.com] *On Behalf Of *David Burstin > *Sent:* Tuesday, 13 October 2015 2:08 PM > *To:* Thomas Koster <tkos...@gmail.com> > *Cc:* ozDotNet <ozdotnet@ozdotnet.com> > *Subject:* Re: CORS, Azure, Chrome desktop and mobile > > > > Firstly, thanks again to everyone who has taken the time to look at this. > > > > Yes, it turns out that it is a firewall issue. :( > > > > So, given that having a web page talk to a web service at a different > origin is not a crazy or unusual situation, how do you guys deal with this? > How do you make the web page work, given that you can't go to everyone who > looks at your site and ask them to change their firewall rules, no matter > how dumb they are (the firewall rules and the people you are talking to)? > > > > Or is it just not possible? > > > > Cheers > > Dave > > > > On 13 October 2015 at 16:53, Thomas Koster <tkos...@gmail.com> wrote: > > On 13 October 2015 at 15:39, David Burstin <david.burs...@gmail.com> > wrote: > > My response headers don't have "Access-Control-Allow-Origin". Any ideas > > why? (I am about to hit google) > > On 13 October 2015 at 16:11, Thomas Koster <tkos...@gmail.com> wrote: > > Are you using a proxy, firewall or browser plugin that is removing them? > > If you suspect this, try HTTPS (although a browser plugin can still bite > > you). > > On 13 October 2015 at 16:15, David Burstin <david.burs...@gmail.com> > wrote: > > Thanks Thomas. Definitely not a plugin, possibly a proxy or firewall > issue. > > I will talk to the guys here who know more about this than me. > > At first, looking at your screenshot, I didn't think that a proxy or > firewall was removing headers because outgoing headers look fine and > rubbish headers like "X-Powered-By" did make it through. (Why include > "X-Powered-By" on a whitelist but not CORS headers?!). But then I > noticed that "X-AspNet-Version" is also missing from your > screenshot... > > -- > Thomas Koster > > >