ColdFusion REST API Enable CORS

Question

I am trying to build a REST API using coldfusion components and I can't figure out how to enable CORS. I am using IIS 10 and ColdFusion 2016. I can't find anywhere in IIS to configure CORS following instructions on google and I don't see anywhere under CF admin settings to enable CORS, so I figured I would try to enable CORS in my API instead of fiddling with configuration in each environment I deploy this to (qa, uat, prod).

This is what my application.cfc currently looks like and you can see in the onRequestStart I am attempting to set the headers (two ways I've tried)

<cfscript>
    component output="false" {
        this.name = ....


        public boolean function onApplicationStart() {\
            restInitApplication( ... );
            return true;
        }

        public void function onApplicationEnd(ApplicationScope) {
            return;
        }

        public void function onMissingTemplate(targetPage) {
            return;
        }

        public void function onRequestStart(targetPage) {
            cfheader(name="Access-Control-Allow-Origin", value="*");
            // i've also tried ...
            GetPageContext().getResponse().addHeader("Access-Control-Allow-Origin","*");
        }

        public void function onSessionStart() {
            return;
        }

        public void function onSessionEnd(sessionScope, applicationScope) {
            return;
        }
    }
</cfscript>

Answer 1

I would recommend installing the IIS CORS module - reference. Here is a snippet from that reference:

Functionality Overview
The Microsoft IIS CORS Module is an extension that enables web sites to support the CORS(Cross-Origin Resource Sharing) protocol.

The IIS CORS module provides a way for web server administrators and web site authors to make their applications support the CORS protocol. With this module, developers can move CORS logic out of their applications and rely on the web server. The module's handling of CORS requests is determined by rules defined in the configuration. These CORS rules can be easily defined or configured making it simple to delegate all CORS protocol handling to the module.

IIS CORS module is a server-side CORS component
The CORS protocol governs client/server communication. Usually, web browsers act as the client-side CORS component, while the IIS server works as the server-side CORS component with the help of the IIS CORS module.

A CORS request occurs when a protocol aware client, such as a web browser, makes a request to a domain (origin) that differs from the current domain. This scenario is known as a cross-origin request. When CORS is not used, cross-origin requests will be blocked by the client. When the CORS module is used, IIS will inform clients whether a cross-origin request can be performed based on the IIS configuration.

Don't try implementing this from ColdFusion, let the web server do what it is designed to do. Once you have the module installed you can create the rules you want within the web.config files for any/all IIS sites.

Sample config file:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
    <cors enabled="true" failUnlistedOrigins="true">
        <add origin="*" />
        <add origin="https://*.microsoft.com"
             allowCredentials="true"
             maxAge="120"> 
            <allowHeaders allowAllRequestedHeaders="true">
                <add header="header1" />
                <add header="header2" />
            </allowHeaders>
            <allowMethods>
                 <add method="DELETE" />
            </allowMethods>
            <exposeHeaders>
                <add header="header1" />
                <add header="header2" />
            </exposeHeaders>
        </add>
        <add origin="http://*" allowed="false" />
    </cors>
</system.webServer>
</configuration>

You can download the IIS CORS module from here.