Azure API管理CORS:为什么我会收到“已删除以'Access-Control-'开头的标头..." [英] Azure API Management CORS: Why do I get "Headers starting with 'Access-Control-' were removed..."

问题描述

使用以下简单政策:

<policies>
    <inbound>
        <cors>
            <allowed-origins>
                <origin>http://microfost.com/</origin>
            </allowed-origins>
            <allowed-methods preflight-result-max-age="300">
                <method>GET</method>
                <method>POST</method>
                <method>PATCH</method>
                <method>DELETE</method>
            </allowed-methods>
            <allowed-headers>
                <header>content-type</header>
                <header>accept</header>
                <header>Authorization</header>
            </allowed-headers>
        </cors>
    </inbound>
</policies>  

HTTP请求

OPTIONS https://XXXX.azure-api.net/demo/XXX/XXX/* HTTP/1.1
Host: XXXX.azure-api.net
Ocp-Apim-Trace: true
Ocp-Apim-Subscription-Key: <secret>
Origin: http://microfost.com
Access-Control-Request-Headers: Authorization
Access-Control-Request-Method: GET

回复内容

Access-Control-Allow-Origin: http://microfost.com
Ocp-Apim-Trace-Location: <trace>
Date: Mon, 27 Feb 2017 20:09:14 GMT
Content-Length: 0

我收到此消息，并期望Origin响应标头在3个API中有2个没有收到任何信息(1个API的使用与预期的策略相同).

I get this message and expect Origin response header I do not receive anything for 2 out of 3 APIs (1 API is working with the same policy as expected).

**Inbound**
[...]
cors (0 ms)
"Cross domain request was well formed and was allowed to proceed. CORS related headers were added to the response."

**Backend**

No records.
Outbound

cors (0 ms)
{
    "message": "Headers starting with 'Access-Control-' were removed from the response. ",
    "headers": []
}
transfer-response (0 ms)
{
    "message": "Response headers have been sent to the caller."
}

在我看来，这是胡扯，可能是错误.在提交之前，我想问一下您是否有任何解释?为什么我得到这个?

This seems to me a nonsense behavior and might be a bug. Before submitting it I would like to ask you if there is any explanation? Why do I get this?

以"Access-Control-"开头的标头已从 响应.

Headers starting with 'Access-Control-' were removed from the response.

推荐答案

在Azure API管理中有两种方法可以进行CORS.自动-只需在所需范围内拖放并配置CORS策略，APIM就会负责响应与现有操作匹配的OPTIONS请求.

There a two ways to do CORS in Azure API Management. Automatic - just drop and configure CORS policy in a desired scope and APIM will take care of responding on OPTIONS requests that match existing operations.

或者您可以选择手动方式-创建一个单独的操作来响应OPTIONS方法并在策略中手动形成响应(可能使用返回响应策略).

Or you can choose manual way - create a separate operation that responds to OPTIONS method and form response manually right in the policy, possibly using return-response policy.

您遇到的问题是因为两者兼而有之.他们基本上是有冲突的. CORS策略将请求标识为跨源，并在请求完成后安排处理时间，但是OPTIONS操作级别的返回响应策略中断了该处理流程，并在CORS策略可以采取行动之前立即返回了响应.

The problem you're having is because you have both. They're basically in conflict. CORS policy identifies request as cross origin and schedules processing on after request is complete, but return-response policy on OPTIONS operation level breaks this processing pipeline and returns response immediately before CORS policy can take action.

由于您正在使用CORS策略，因此应从API中删除OPTIONS操作，以使其正常工作.

Since you're using CORS policy you should remove OPTIONS operation from your API to make things work.

这篇关于Azure API管理CORS:为什么我会收到“已删除以'Access-Control-'开头的标头..."的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！