This took me a while to figure out.
Was trying to access my web api service from another domain using angular, and it just wasn’t working, even when I added Access-Control-Allow-Origin header to the response. Interestingly enough ajax request with jQuery worked.
Anyways, here’s the fix:
1. You will need to send a few headers back, to allow the origin, methods, and maybe a few custom headers. This you can do in an action filter (or you can do it in action itself, or add it to custom headers in web.config, or you an write an http handler.. but this is DRY and easy and gives you control over which methods/controllers will be accessible without too much fuss).
2. Browser will likely make a pre-flight OPTIONS request, so you need.. guess what.. an OPTIONS method on you controller. This method doesn’t have to do anything or return anything, but it has to be there.
And it works.. simple enough, but damn it was quite a bit of googling to understand what’s going on.