如何摆脱.NET Core 2.2中的CORS? [英] How to get rid of CORS in .net core 2.2?
问题描述
我已经将项目更新为.net core 2.2,看来CORS正在产生2.1中没有的问题.
I've updated my project to .net core 2.2 and it seems like CORS is making problems that weren't there in 2.1.
我正在以下URL上运行我的应用程序:http://*:5300
I'm running my app on this URL: http://*:5300
我已将此代码添加到Startup.cs
:
public void ConfigureServices(IServiceCollection services)
{
...
services.AddCors(options =>
options.AddPolicy("MyPolicy", builder =>
{
builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowCredentials()
.AllowAnyHeader();
}));
services.AddMvc();
...
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
...
app.UseCors(builder =>
{
builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowCredentials()
.AllowAnyHeader();
});
app.UseAuthentication();
app.UseMvc();
}
这没有用,所以我在我的`BaseController'类上添加了[EnableCors]
属性:
This didn't work, so I've added on top of it the [EnableCors]
attribute on my `BaseController" class:
[EnableCors]
[Authorize]
[Produces("application/json")]
[Route("api/[controller]")]
public class BaseController : Controller
{
}
但是我仍然收到此CORS错误:
But I'm still getting this CORS error:
通过" http://192.168.15.63:5301/api/permissions/访问XMLHttpRequest来源" http://192.168.15.63:5302 的UI "已被CORS阻止政策:
对预检请求的响应未通过访问控制检查:
当请求的凭据模式为"include"时,响应中"Access-Control-Allow-Origin"标头的值不得为通配符"*".
XMLHttpRequest发起的请求的凭据模式由withCredentials属性控制.
Access to XMLHttpRequest at 'http://192.168.15.63:5301/api/permissions/UI' from origin 'http://192.168.15.63:5302' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
要完全删除CORS,我还能做什么?
What else can I do in order to completely remove CORS?
推荐答案
当请求的凭据模式为"include"时,响应中"Access-Control-Allow-Origin"标头的值不得为通配符"*".
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
使用ASP.NET Core响应CORS请求时,不能同时使用AllowAnyOrigin
和AllowCredentials
.
You cannot use both AllowAnyOrigin
and AllowCredentials
when using ASP.NET Core to respond to a CORS request.
通过" http://192.168.15.63:5301/api/permissions/访问XMLHttpRequest来源" http://192.168.15.63:5302 的UI "已被CORS阻止政策
Access to XMLHttpRequest at 'http://192.168.15.63:5301/api/permissions/UI' from origin 'http://192.168.15.63:5302' has been blocked by CORS policy
此消息表明您的服务器正在监听http://192.168.15.63:5301
,但是您的客户端正在发出来自http://192.168.15.63:5302
的请求.由于端口不同,因此来源不同,因此使用了CORS保护.
This message shows that your server is listening on http://192.168.15.63:5301
, but your client is making the request from http://192.168.15.63:5302
. Since the port is different, these are different origins and therefore CORS protection is used.
要允许请求成功,请将您的ASP.NET CORS配置代码更新为以下内容:
To allow the request to succeed, update your ASP.NET CORS configuration code to something like the following:
builder.WithOrigins("http://192.168.15.63:5302")
.AllowAnyMethod()
.AllowCredentials()
.AllowAnyHeader();
这将配置CORS支持的 client 的来源-当然,您可以根据需要将其作为配置选项添加到应用程序本身(例如使用appsettings.json
).
This configures the origin of the client as being supported by CORS - you could, of course, add this as a configuration option to the application itself (using e.g. appsettings.json
), if needed.
在旁边:
由于您已调用AddCors
并配置了命名策略,因此没有理由在对UseCors
的调用中配置相同的策略-您只需将先前配置的策略的名称传入
As you've called AddCors
and configured a named policy, there is no reason to configure the same policy in the call to UseCors
- you can simply pass in the name of the policy you configured earlier with AddCors
:
app.UseCors("MyPolicy");
这篇关于如何摆脱.NET Core 2.2中的CORS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!