Explore Courses Blog Tutorials Interview Questions
+1 vote
in DevOps and Agile by (19.7k points)

I'm working on selenium tests (written in C# using the chrome webdriver) for a javascript web app that uses a backend server running on WebApi 5.2.4. It is CORS enabled with very permissive settings:

namespace SealingService


    public static class WebApiConfig


        public static void Register(HttpConfiguration config)


            // Web API configuration and services

            var cors = new EnableCorsAttribute("*", "*", "*");


            // etc...




Normally everything works as expected. But on some machines when the server is started by the test scripts the client encounters CORS errors on every request. The chrome dev console shows the standard Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. message. The server logs show that the OPTION requests are reaching it, and it's sending a response.

When I try to access any of the API routes manually, the server returns the generic ASP.NET 404 page. This makes me think that our CORS configuration actually could be working correctly, but the server is not being started/configured correctly by our test script, so the routes are not being registered. Thus, all API routes are returning the 404 page, which is obviously not CORS enabled.

This is the applicationhost.config used by IIS during the tests. This is how the server is started by the test script:

public static Process StartIIS(string siteName)


    return Process.Start(@"C:\Program Files (x86)\IIS Express\iisexpress.exe", $"/site:{siteName} /config:{_applicationHostConfigFilePath}");


The errors only occur on some machines, and we can't figure out what is configured differently between them. I've tried using Chrome's --disable-web-security flag but it doesn't seem to make any difference.

1 Answer

0 votes
by (62.9k points)

You can usually solve pre-flight errors with a change to your web.config:





        <add name="Access-Control-Allow-Origin" value="*" />

        <add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept, Cache-Control" />

        <add name="Access-Control-Allow-Credentials" value="true" />

        <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />




Or via code in a custom handler with something like: 

if (request.Headers.Contains("Origin") && request.Method.Method == "OPTIONS")


    var response = new HttpResponseMessage();

    response.StatusCode = HttpStatusCode.OK;

    response.Headers.Add("Access-Control-Allow-Origin", "*");

    response.Headers.Add("Access-Control-Allow-Headers", "Origin, Content-Type, Accept, Authorization");       

   response.Headers.Add("Access-Control-Allow-Methods", "DELETE, POST, PUT, OPTIONS, GET");


If it works you can then try refining things by e.g. changing Access-Control-Allow-Origin to just your front-ends address.

If you are interested to learn Selenium on a much deeper level and want to become a professional in the testing domain, check out Intellipaat’s automation testing course!

Browse Categories