两个ASP.NET Web应用程序 - 跨起源请求总是成功没有自由裁量权 [英] Two ASP.NET web applications - Cross origin request always succeeds without discretion

问题描述

我创建了两个ASP.NET Web应用程序，人们MVC应用程序和一个网络API的新的解决方案。

I created a new solution with two ASP.NET web applications, one MVC application and one Web API.

我想使用类似 api.hybridwebapp.com/values​​ A子，所以我实现了一个IHttpRouteConstraint确保 request.RequestUri访问API。主机==api.mydomain.com对所有API的路线。 更多在这个答案细节。

I wanted to access the api using a subdomain like api.hybridwebapp.com/values so I implemented an IHttpRouteConstraint to ensure request.RequestUri.Host == "api.mydomain.com" on all Api routes. More details in this answer.

然后，我添加下面一行到我的主机文件：

Then I added the following line to my host files:

127.0.0.1    hybridwebapp.com  api.hybridwebapp.com

在IIS管理器中，我创建2个网站（每个项目），并设置相应的绑定每个网站（hybridwebapp.com在80安培; api.hybridwebapp.com 80）

In IIS Manager I created 2 websites (one for each project) and set the appropriate bindings for each website (hybridwebapp.com on 80 & api.hybridwebapp.com on 80)

在项目的网络性能在我每个网站的根目录设置一个本地IIS虚拟目录：

In the projects' Web properties I set a Local IIS virtual directory at the root of each of those websites:

MVC项目网址： http://hybridwebapp.com

网络API项目网址： http://api.hybridwebapp.com

Web Api Project Url: http://api.hybridwebapp.com

我做的MVC应用程序click处理，使跨域请求网页API，它成功地使它尽管我从来没有真正在配置上的Web API的任何一个Cors属性。

I made a click handler in the MVC application to make a cross-domain request to the Web Api and it successfully made it despite me never actually configuring any Cors attributes on the Web Api.

这是误导，因为这将明显地在生产中失败。我能做些什么，使这个更realistic..I'd居然喜欢捏捏CORS配置有一个严格的范围，但我不能这样做，当它接受所有的请求，即使是那些失败了。

This is misleading because this will clearly fail in production. What can I do to make this more realistic..I'd actually like to tweak the CORS configuration to have a stricter scope but I can't do that when it accepts all requests, even those that should fail..

推荐答案

跨子域的请求仍然被认为是跨域请求为不同的子域可以指向完全不同的IP地址和服务器。如果你没有在生产安装设置正确CORS系统，你一定会得到错误。

Cross-sub-domain requests are still considered cross-domain requests as different sub-domains can point to entirely different IPs and servers. You'll definitely get errors if you don't set up CORS properly in your production setup.

编辑：：要正确模拟生产系统中，你需要玩的<一个href=\"http://blogs.technet.com/b/chrad/archive/2010/01/24/understanding-iis-bindings-websites-virtual-directories-and-lastly-application-pools.aspx\"相对=nofollow> IIS绑定配置。如果你不能得到它的工作，你应该尝试一个VM主办api.hybridwebapp.com，这肯定会是CORS的工作是不同服务器之间自动触发。

To properly emulate production setup, you'll need to play with the IIS binding configuration. If you can't get it working, you shall try a VM for hosting the api.hybridwebapp.com, which will definitely work as CORS is triggered automatically between different servers.

这篇关于两个ASP.NET Web应用程序 - 跨起源请求总是成功没有自由裁量权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！