定制CORS政策不工作 [英] custom cors policy not working
问题描述
我有类似下面的自定义CORS政策,在这里我设置支持的凭据为false
i have a custom cors policy like below, where I am setting support-credentials to false
public class CorsProviderFactory : ICorsPolicyProviderFactory
{
//https://msdn.microsoft.com/en-us/magazine/dn532203.aspx
public ICorsPolicyProvider GetCorsPolicyProvider(
HttpRequestMessage request)
{
return new CorsPolicyProviderCustom();
}
public class CorsPolicyProviderCustom : Attribute, ICorsPolicyProvider
{
private readonly CorsPolicy _policy;
public CorsPolicyProviderCustom()
{
// Create a CORS policy.
_policy = new CorsPolicy
{
AllowAnyMethod = true,
AllowAnyHeader = true,
AllowAnyOrigin = true,
SupportsCredentials = false
};
// Magic line right here
_policy.Origins.Add("*");
_policy.Methods.Add("*");
}
public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
return Task.FromResult(_policy);
}
}
}
,并用它喜欢的:
and used it like :
public static HttpConfiguration Register()
{
var config = new HttpConfiguration();
config.SetCorsPolicyProviderFactory(new CorsProviderFactory());
config.EnableCors();
.................
}
但即使如此,在邮递员响应我明白了,支持的凭据为真
but even then in the postman response i see, support-credentials as true
我如何能得到支持的凭据为假,断点确实达到自定义策略的一部分,所以那为什么它不工作:(
how can I get support-credentials as false, the breakpoint does reaches to the custom policy part, so why is it that its not working :(
推荐答案
有关安全考虑,您不能使用接入控制允许Credentails 与访问控制允许来源设置为 * 。
For security reasons you can not use Access-Control-Allow-Credentails with Access-Control-Allow-Origin set to *.
您必须指定访问控制允许来源,或者设置接入控制允许Credentails确切域到假。
You must specify the exact domain(s) in Access-Control-Allow-Origin, OR set Access-Control-Allow-Credentails to false.
这篇关于定制CORS政策不工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
