Azure网站Rest Api仅接受GET,POST返回403.可能是CORS [英] Azure website Rest Api only accept GET, POST returns 403. Possibly CORS
问题描述
我遇到一个奇怪的问题.我有一个在Azure App Service(网站)下运行的Asp.net Core WebApi项目.我在Chrome中使用DHC插件.我的服务也与AAD一起运行.
I am encounter a strange problem. I have a Asp.net Core WebApi project running under Azure App Service (Website). I am using DHC plug-in in Chrome. My service is also running with AAD.
我可以很好地请求GET方法(登录后).但是,当我请求任何POST时,都会收到403响应.在日志中四处看看,
I can request a GET method just fine (After login). However, when I request any POST, I got a 403 response. Looking around in the log, I can see this
2016-07-28T08:14:26 PID [x]详细收到的请求:POST https://blahblah.azurewebsites.net/api/build/beep/
2016-07-28T08:14:26 PID [x]详细发现了网站"blah.azurewebsites.net"的"AppServiceAuthSession" cookie.长度:856.
2016-07-28T08:14:26 PID[x] Verbose Found 'AppServiceAuthSession' cookie for site 'blah.azurewebsites.net'. Length: 856.
2016-07-28T08:14:26 PID [x]信息发送响应:403.60禁止
2016-07-28T08:14:26 PID[x] Information Sending response: 403.60 Forbidden
2016-07-28T08:14:26 PID [x]警告从引荐来源"检测到用户'blah@blahblah.com'的跨站点请求伪造!
2016-07-28T08:14:26 PID[x] Warning Cross-site request forgery detected for user 'blah@blahblah.com' from referer ''!
我正在使用Asp.net Core 1.0.我在代码(AllOrigin AllHeader)中启用了CORS,并且Azure网站的CORS中有一个"*"条目,该条目应接受所有来源.日志流似乎甚至没有访问我的网站,但是Azure中的某些内容阻止了该请求.
I am using Asp.net Core 1.0. I have CORS enable in my code (AllOrigin AllHeader), as well as the CORS in Azure website has an entry for '*', which supposed to accept every origin. The log stream seems like it does not even hit my website, but something in Azure blocks the request.
有帮助吗?
成功的GET方法
2016-07-28T20:24:35 PID [22880]详细收到的请求:GET https://blah.azurewebsites.net/api/build/beep/
2016-07-28T20:24:35 PID [22880]详细发现了网站"blah.azurewebsites.net"的"AppServiceAuthSession" cookie.长度:876.
2016-07-28T20:24:35 PID[22880] Verbose Found 'AppServiceAuthSession' cookie for site 'blah.azurewebsites.net'. Length: 876.
2016-07-28T20:24:36 PID [22880]使用会话Cookie"身份验证成功通过了blah@blah.com的详细身份验证.
2016-07-28T20:24:36 PID[22880] Verbose Authenticated blah@blah.com successfully using 'Session Cookie' authentication.
推荐答案
好像您的JavaScript客户端被Authentication/Authorization模块的CSRF保护所阻止,该模块目前不了解CORS配置(可能应该-我").
Looks like your JavaScript client is being blocked by the Authentication / Authorization module's CSRF protection, which currently doesn't know about the CORS configuration (it probably should - I'll look into this).
解决此问题的最简单方法是在客户端设置中添加自定义 User-Agent HTTP标头.我们内置的CSRF保护所要寻找的一件事是客户端是否是浏览器.几乎所有主流浏览器都使用"Mozilla/..."作为用户代理字符串.将其更改为其他名称,以明确表明您不是浏览器,并且POST请求将成功通过.
The simplest way to work around this is to add a custom User-Agent HTTP header in your client settings. One of the things our built-in CSRF protection looks for is whether the client is a browser. Pretty much all major browsers use "Mozilla/..." as the user-agent string. Change this to something else to make it clear that you're not a browser and your POST request will go through successfully.
这篇关于Azure网站Rest Api仅接受GET,POST返回403.可能是CORS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
