有人可以为CorsPolicy实现提供一个明确的Origins列表吗? [英] Can someone provide a CorsPolicy implementation with an explicit Origins list?
问题描述
在配置注释中指示以下信息:
indicates the following information in the configuration comments:
// Setup the CORS middleware to run before SignalR.
// By default this will allow all origins. You can
// configure the set of origins and/or http verbs by
// providing a cors options with a different policy.
map.UseCors(CorsOptions.AllowAll);
但是,System.Web.CorsPolicy的Origins属性具有一个私有的setter,没有允许注入origin的构造函数以及没有公开的setter方法.关于Origins列表,似乎只公开了一个"AllowAllOrigins"属性,然后公开了一个无用的Origins getter,它仅反映了在CorsPolicy构造期间构造的空List.
however, the Origins property of System.Web.CorsPolicy has a private setter, no constructor that allows origins to be injected, and no exposed setter method. With regards to the Origins list, it seems to only expose an "AllowAllOrigins" property and then a useless Origins getter that is only reflecting out the empty List that is constructed during CorsPolicy construction.
特别要注意的是,默认 app.UseCors(CorsOptions.AllowAll) 设置是完全不连贯的.用它自己的工具提示,它是允许所有标头,所有方法,任何起源并支持凭据的策略."
Of particular note, the default app.UseCors(CorsOptions.AllowAll) setting is entirely incoherent. By its own tooltip, it is "A policy that allows all headers, all methods, any origin, and supports credentials."
A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true
我的配置当前是愚蠢的简单" SignalR配置
My configuration is currently the "stupid simple" SignalR config
public void Configuration(IAppBuilder app)
{
app.UseCors(CorsOptions.AllowAll);
app.MapSignalR();
}
任何人都可以提供Microsoft.Owin.Cors.CorsMiddleware示例,该示例将为Access-Control-Allow-Origin的明确白名单重新实现"AllowAll"选项吗?
Can anyone provide a Microsoft.Owin.Cors.CorsMiddleware example that would reimplement the "AllowAll" Options with an explicit whitelist for Access-Control-Allow-Origin?
推荐答案
Have you looked at the source for CorsOptions.AllowAll? It shows how the CorsOptions is created. You could do something like
var policy = new CorsPolicy
{
AllowAnyHeader = true,
AllowAnyMethod = true,
AllowAnyOrigin = false, // False by default, just left it here.
SupportsCredentials = true
};
policy.Origins.Add("http://foo.example.com");
app.UseCors(new CorsOptions
{
PolicyProvider = new CorsPolicyProvider
{
PolicyResolver = context => Task.FromResult(policy)
}
});
如您所见,您设置了PolicyResolver属性,它是一个Func<IOwinRequest, Task<CorsPolicy>>.基于IOwinContext(针对当前请求),您需要返回
As you can see, you set the PolicyResolver property, which is a Func<IOwinRequest, Task<CorsPolicy>>. Based on the IOwinContext (for the current request), you need to return a CorsPolicy (also, see its source). This should have the properties you need to fine tune your policy. The list properties have private setters (probably to avoid potential null pointers), but they're all initialized in the default constructor, so you should be able to add to them.
这篇关于有人可以为CorsPolicy实现提供一个明确的Origins列表吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
