Azure网站Rest Api只接受GET，POST返回403.可能是CORS [英] Azure website Rest Api only accept GET, POST returns 403. Possibly CORS

问题描述

我遇到了一个奇怪的问题.我有一个在 Azure 应用服务(网站)下运行的 Asp.net Core WebApi 项目.我在 Chrome 中使用 DHC 插件.我的服务也使用 AAD 运行.

I am encounter a strange problem. I have a Asp.net Core WebApi project running under Azure App Service (Website). I am using DHC plug-in in Chrome. My service is also running with AAD.

我可以请求一个 GET 方法就好了(登录后).但是，当我请求任何 POST 时，我得到了 403 响应.在日志中环顾四周，我可以看到这个

I can request a GET method just fine (After login). However, when I request any POST, I got a 403 response. Looking around in the log, I can see this

2016-07-28T08:14:26 PID[x] 详细收到的请求:POST https://blahblah.azurewebsites.net/api/build/beep/

2016-07-28T08:14:26 PID[x] Verbose Received request: POST https://blahblah.azurewebsites.net/api/build/beep/

2016-07-28T08:14:26 PID[x] Verbose 发现站点blah.azurewebsites.net"的AppServiceAuthSession"cookie.长度:856.

2016-07-28T08:14:26 PID[x] Verbose Found 'AppServiceAuthSession' cookie for site 'blah.azurewebsites.net'. Length: 856.

2016-07-28T08:14:26 PID[x] 信息发送响应:403.60 Forbidden

2016-07-28T08:14:26 PID[x] Information Sending response: 403.60 Forbidden

2016-07-28T08:14:26 PID[x] 警告检测到来自引用者"的用户blah@blahblah.com"的跨站点请求伪造！

2016-07-28T08:14:26 PID[x] Warning Cross-site request forgery detected for user 'blah@blahblah.com' from referer ''!

我使用的是 Asp.net Core 1.0.我在我的代码(AllOrigin AllHeader)中启用了 CORS，并且 Azure 网站中的 CORS 有一个*"条目，它应该接受每个来源.日志流似乎甚至没有访问我的网站，但 Azure 中的某些内容阻止了请求.

I am using Asp.net Core 1.0. I have CORS enable in my code (AllOrigin AllHeader), as well as the CORS in Azure website has an entry for '*', which supposed to accept every origin. The log stream seems like it does not even hit my website, but something in Azure blocks the request.

有什么帮助吗?

一个成功的 GET 方法

A successful GET method

2016-07-28T20:24:35 PID[22880] 详细收到的请求:GET https://blah.azurewebsites.net/api/build/beep/

2016-07-28T20:24:35 PID[22880] Verbose Received request: GET https://blah.azurewebsites.net/api/build/beep/

2016-07-28T20:24:35 PID[22880] 详细发现站点blah.azurewebsites.net"的AppServiceAuthSession"cookie.长度:876.

2016-07-28T20:24:35 PID[22880] Verbose Found 'AppServiceAuthSession' cookie for site 'blah.azurewebsites.net'. Length: 876.

2016-07-28T20:24:36 PID[22880] 详细验证 blah@blah.com 成功使用会话 Cookie"身份验证.

2016-07-28T20:24:36 PID[22880] Verbose Authenticated blah@blah.com successfully using 'Session Cookie' authentication.

推荐答案

看起来你的 JavaScript 客户端被 Authentication/Authorization 模块的 CSRF 保护阻止了，它目前不知道 CORS 配置(它可能应该 - 我会调查的).

Looks like your JavaScript client is being blocked by the Authentication / Authorization module's CSRF protection, which currently doesn't know about the CORS configuration (it probably should - I'll look into this).

解决此问题的最简单方法是在客户端设置中添加自定义 User-Agent HTTP 标头.我们内置的 CSRF 保护寻找的一件事是客户端是否是浏览器.几乎所有主流浏览器都使用Mozilla/..."作为用户代理字符串.将此更改为其他内容，以明确您不是浏览器，并且您的 POST 请求将成功通过.

The simplest way to work around this is to add a custom User-Agent HTTP header in your client settings. One of the things our built-in CSRF protection looks for is whether the client is a browser. Pretty much all major browsers use "Mozilla/..." as the user-agent string. Change this to something else to make it clear that you're not a browser and your POST request will go through successfully.

这篇关于Azure网站Rest Api只接受GET，POST返回403.可能是CORS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！