Arne Kemps Arne Kemps - 1 year ago 127
Ajax Question

CORS authenticated requests to Google Sites feed/API blocked

I'm currently building an ASP.NET web application to simplify the provisioning of Google Sites, pages, Gadgets on Google Sites and ACLs for Google Sites.

I have encountered the issue which many a developer has already come across: cross-origin resources. According to the Google documentation on CORS requests to Google APIs, you simply use an XMLHttpRequest (or AJAX) request, providing your access token in the header. More information can be found here:

I've been perfectly able to accomplish this when I'm accessing the Google Sites API from within my domain on Google Sites, injecting AJAX requests while my browser window's location is within the domain. An example of a succeeded request to make a new site from within my domain:

////// REQUEST \\\\\\
type: "POST",
url: "[domainName]",
contentType: "application/atom+xml",
headers: {
"Authorization": "Bearer " + [accessToken],
"GData-Version": "1.4"
data: ["<entry xmlns='' xmlns:sites=''>",
"<title>What a site</title>",
"<summary>Best description ever.</summary>",

////// LOGGING \\\\\\
beforeSend: function () {
success: function (result) {
error: function (xhr, ajaxOptions, thrownError) {

(In several cases below, I'm writing https:// as [https] due to my account still being restricted to 2 links in a post).

At this point everything was going great, I thought I had everything set to use the code into my ASP.NET site. Alas, things don't always go to plan. When I executed the exact same AJAX call from within my application (right now still hosted on [https]localhost:44301), I get the following error:

XMLHttpRequest cannot load
[https][censored] Response to preflight
request doesn't pass access control check: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin '[https]localhost:44301' is therefore not allowed
access. The response had HTTP status code 405.

The usual CORS error. I was surprised though, as the advised way of making requests to Google APIs is exactly that. I've also found an article about using CORS with the Google Cloud API:

In the article it states:

Most clients (such as browsers) use the XMLHttpRequest object to make
a cross-domain request. XMLHttpRequest takes care of all the work of
inserting the right headers and handling the CORS interaction with the
server. This means you don't add any new code to take advantage of
CORS support, it will simply work as expected for Google Cloud Storage
buckets configured for CORS.

Of course, this isn't the Google Sites API, but I find it hard to believe that Google hasn't implemented the same functionality in all of their APIs.

Does anyone know whether it's possible to achieve successful requests such as this from within a standalone ASP.NET application? And if so, how?

Many thanks for spending time to read about my hardships.


I've contacted Google Apps Support regarding my issue, and have gotten the following response:

In addition to the information you provided, I also reviewed your post
CORS authenticated requests to Google Sites feed/API blocked.
The note at
only reinforces the statement under 'Can I create a new Google Site?'
and 'How do I copy a site?' at,
which states 'Google Apps users can use the site feed to ...' However,
I don't see why this is relevant to your issue, if you've authorised
against your domain administrator account, as the note is only
indicating that users won't be able to use the listed
methods to create, or copy a site.

I haven't used CORS, so can't comment on it's operation, but have been
able to successfully list, and create sites using HTTP GET and POST
requests via a raw HTTP client, so the API is operating as it should
with regard to cross domain requests. I used the sample XML document
to create my site, configuring the client with credentials for my
Developer console project. The fact that the request only fails in
your ASP.NET site implies that there is something in that environment
which isn't configured correctly. Unfortunately that's outside my
scope of support, so I'm unable to provide any specific advice, other
than to check the relevant documentation, or post a request in the
ASP.NET section of Stack Overflow at

Answer Source


It seems that a lot of browsers would still block an AJAX request across different domains, even when it's allowed by the API you're trying to reach. Instead of using AJAX, I'm now using the C# WebRequest in a DLL.


// Create the request
WebRequest request = WebRequest.Create("[domainName]");
request.Method = "POST";
request.contentType = "application/atom+xml";
request.Headers.Set(HttpRequestHeader.Authorization, "Bearer " + [accessToken]);
request.Headers["GData-Version"] = "1.4";

// Fill in the data and encode for the datastream
string data = ["<entry xmlns='' xmlns:sites=''>",
                   "<title>What a site</title>",
                   "<summary>Best description ever.</summary>",
byte[] byteArray = Encoding.UTF8.GetBytes (data);

// Add the data to the request
Stream dataStream = request.GetRequestStream ();
dataStream.Write (byteArray, 0, byteArray.Length);
dataStream.Close ();

// Make the request and get the response
WebResponse response = request.GetResponse ();

More info can be found on MSDN:

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download