Ajax Request header field Key is not allowed by Access-Control-Allow-Headers

Question

Trying to build a DNN Service Framework WebAPI but I\'m having trouble consuming it with CORS. I have all of the appropriate headers (I think) but it still doesn\'t seem to be w

Answer 1

Your server responds with the following custom header to the preflight request:

Access-Control-All-Headers: Origin, X-Requested-With, Content-Type, Accept, Key

whereas if you (or the person who wrote this server) read carefully about CORS he should have responded with:

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Key

Now the client client could go ahead and use the Key custom header.

This being said, Bearer is quite specific to OAuth 2 which is sent throughout the Authorization header. Using Key seems like a terrible violation of RFCs and stuff and a wheel reinvention kinda.