ServiceStack cross-origin request/ response headers

gistfile1.txt

Request URL:http://localhost:63005/utils/md5/test
Request Method:OPTIONS
Status Code:200 OK

Request Headers

Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:origin, content-type, accept
Access-Control-Request-Method:GET
Connection:keep-alive
Host:localhost:63005
Origin:http://localhost:49391
Referer:http://localhost:49391/md5
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.17 Safari/537.11

Response Headers

Cache-Control:private
Content-Length:0
Date:Mon, 08 Oct 2012 19:10:07 GMT
Server:Microsoft-IIS/8.0
X-AspNet-Version:4.0.30319
X-Powered-By:ASP.NET
X-SourceFiles:=?UTF-8?B?QzpcVXNlcnNcY2RlcHBlblxDb2RlXFV0aWxzXHNyY1xBcGlcdXRpbHNcbWQ1XHRlc3Q=?=

I don't see any ServiceStack headers here. Is there any indication that ServiceStack is handling this request? i.e. debugging?
What is the root path ServiceStack is meant to be hosted on? /utils ?

The route being added is "/utils/md5/{value*}". The following is the req/res when calling it directly:

Request URL:http://localhost:63005/utils/md5/test
Request Method:GET
Status Code:200 OK

Request Headers

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Cache-Control:max-age=0
Connection:keep-alive
Cookie:ss-pid=bCwMi6ckcEKojLAH4J9cIw==
Host:localhost:63005
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.17 Safari/537.11

Response Headers

Access-Control-Allow-Headers:Content-Type
Access-Control-Allow-Methods:GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin:*
Cache-Control:private
Content-Encoding:gzip
Content-Length:3834
Content-Type:text/html
Date:Mon, 08 Oct 2012 19:36:33 GMT
Server:Microsoft-IIS/8.0
Vary:Accept-Encoding
X-AspNet-Version:4.0.30319
X-Powered-By:ASP.NET
X-Powered-By:ServiceStack/3.921 Win32NT/.NET
X-SourceFiles:=?UTF-8?B?QzpcVXNlcnNcY2RlcHBlblxDb2RlXFV0aWxzXHNyY1xBcGlcdXRpbHNcbWQ1XHRlc3Q=?=

What does the skeleton/structure your service look like? i.e. Where are the Cors* attributes being applied? are you using the Global Plugins.Add(new CorsFeature()); in your AppHost?
Are you using the New Api ?

Though I've tried the CorsFeature plugin, I've been using the following in the Configure method of AppHost:

SetConfig(new EndpointHostConfig
    {
        GlobalResponseHeaders =
            {
                {"Access-Control-Allow-Origin", "*"},
                {"Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"},
                {"Access-Control-Allow-Headers", "Content-Type"}
            }
    });

I haven't used the new API yet.

Ok that should work as well. Can you try a New API sample service like:

[Route("/testoptions")]
public class TestOptions { }
public class TestOptionsService : Service {
    [EnableCors]
    public void Options(TestOptions request) {}
}

And see if the headers get emitted as well. I'd like to know if something else is hijacking the OPTIONS request (e.g. MVC Http Module or IIS installed WebDav, etc) or its ServiceStack not handling it properly.
Also can you update to the new version of SS was released last night so we're looking at the same code-base.

I upgraded SS and implemented the new API to include the following. Works like a charm. Thanks.

[Route("/utils/md5/{value*}")]
public class MD5Hash
{
    public string Value { get; set; }
}

[EnableCors(allowedHeaders: "Content-Type, X-Requested-With")]
public void Options(MD5Hash request)
{
}

public object Get(MD5Hash request)
{
    return new MD5HashResponse { Result = request.Value.ToMD5() };
}

Then just had to include this in AppHost:

SetConfig(new EndpointHostConfig
    {
        GlobalResponseHeaders =
            {
                {"Access-Control-Allow-Origin", "*"}
            }
    });

Sweet! glad to here it :)
Yeah it's probably a good idea to move to the new API, imo it's simpler more intuitive + requires less effort. We're slowly replacing all demos/examples to move to the new API on our side as well.