In ASP.NET WebApi2 if there is an internal server error, a 500 Response is sent <strong>without</strong> the Access-Control-Allow-Origin header, even when <a href="http://enable-cors.org/server_aspnet.html" rel="nofollow" title="CORS is enabled">CORS is enabled</a>.
This leads the browser to report a CORS error, not an internal server error.
I suppose a server in an erroneous state might not be able to report on the origins it will respond to so it seems to me like the browser should handle this exceptional case and report the internal error, rather than the CORS one.
A ) Is there a way to get the internal server error to show up in the browser as the reason my request failed?
B ) Should an issue be raised with the browser regarding this?Answer1:
According to the CORS spec, the user agent (browser) should not reveal anything about the request if the response does not contain proper acknowledgement of the cross-origin request. So, the browsers are following the spec, and there is nothing more that can be done about this. If you want to programmatically reveal the underlying response status client-side, your server will need to properly acknowledge the cross-origin request by including the appropriate Access-Control-Allow header(s).