To give a bit of background, I have been exploring architectures and various components needed to create a multi-tenant SharePoint App. So far I have settled on using SharePoint only, as a frontend layer and using external services to drive the entire backend, including storage.
Given this high level design the first interesting item that I came across was while posting data to the backend Service from a SharePoint Hosted App. The classic client side Cross-domain security issue. Here are some of the solutions out there for this issue:
- Using the JSONP hack
- Due to its nature, this only works for ‘GET’ requests and I wanted to do a ‘POST.
- Using the default SharePoint 2013 Web Proxy
- I was able to make the ‘GET’ requests work with this approach but not the ‘POST’ requests.
- Creating a Custom Proxy
- Worked but involved quite a few hoops and a remote web page, which I did not want to create.
- Enabling Cross Origin Resource Sharing (CORS) in WCF Services
- Worked perfectly !!!
For simple requests we can enable CORS by setting some response headers like Access-Control-Allow-Origin, Access-Control-Allow-Methods and Access-Control-Allow-Headers with the value ‘*’.
But all requests from Office 365 contain special headers and hence they are ‘Preflighted’, which means they would first send an http request with “OPTIONS” method to check the domain and then send the actual request. (More details on Preflighted requests here)
For Preflighted requests we need to write some extra code along with adding the response headers. Here is a good article with sample code that explains this and below is the snap shot of the code:
And here is the snap shot of the sample app working on Office 365:
Additional Resources on CORS and Multitenant Applications with Azure: