在 Azure 网站(Azure 应用服务)中启用 Access-Control-Allow-Credentials 标头 [英] Enable Access-Control-Allow-Credentials header in Azure website (Azure App Services)
问题描述
我们最近将 API 应用程序从 Azure 云服务迁移到 Azure 网站,一些客户端仍在使用我们的旧协议进行身份验证,该协议使用 cookie(而不是通常的 Authorization: Bearer HTTP 标头).我们需要再支持此身份验证协议一段时间,因为客户端将无法立即迁移.
We recently migrated an API application from Azure Cloud Services to Azure Websites, and some clients are still using our legacy protocol for authentication, which uses cookies (instead of the usual Authorization: Bearer HTTP header). We need to support this authentication protocol for a little longer as the clients will not be able to migrate right away.
为了在指向 API 的跨域 ajax 请求中支持 cookie,客户端需要将 XMLHttpRequest 中的 withCredentials 设置为 true,并且服务器需要响应 Access-Control-Allow-Credentials 标头以及任何 CORS 请求.
To support cookies in a cross-origin ajax request directed to the API, the client needs to set the withCredentials setting to true in the XMLHttpRequest, and the server needs to repond with the Access-Control-Allow-Credentials header as well to any CORS request.
我们面临的问题是,Azure 网站完全自己管理 CORS,并使用自己的配置(仅限于允许的来源列表)进行响应,这不允许设置此标头...从而破坏了我们所有 Ajax 客户端的应用程序!
The problem we face is that the Azure Website manages CORS all by itself, and uses its own configuration (which is limited to a list of allowed origins) for the response, which does not allow this header to be set... thus breaking the application for all our Ajax clients!
有没有办法(临时)在响应中添加这个标题?
Is there a way to (temporarily) add this header in the responses?
推荐答案
我们终于理解了 Azure Apps CORS 中间件的行为.要禁用它,您必须清除 Web 应用程序的 CORS 刀片中每个允许的原始条目(包括 *).然后您可以自己管理 CORS,使用 Web Api 2 功能或使用 web.config.
We finally managed to understand the behavior of the Azure Apps CORS middleware. To disable it, you have to clear every single allowed origin entry in the CORS blade of your web app (including *). Then you can manage CORS by yourself, either using the Web Api 2 functionality or using the web.config.
该信息甚至可以在 文档:
不要尝试在一个 API 应用中同时使用 Web API CORS 和应用服务 CORS.应用服务 CORS 优先,Web API CORS 无效.例如,如果您在应用服务中启用一个源域,并在您的 Web API 代码中启用所有源域,则您的 Azure API 应用将只接受来自您在 Azure 中指定的域的调用.
Don't try to use both Web API CORS and App Service CORS in one API app. App Service CORS will take precedence and Web API CORS will have no effect. For example, if you enable one origin domain in App Service, and enable all origin domains in your Web API code, your Azure API app will only accept calls from the domain you specified in Azure.
所以最后的答案是:如果您的应用程序不需要非常具体的 CORS 管理,您可以使用 Azure App Service CORS.否则,您需要自己处理并禁用 Web 应用程序中的所有 CORS 配置.
So the final answer is: If your application does not need a very specific CORS management, you can use Azure App Service CORS. Otherwise you will need to handle it yourself and disable all CORS configuration in the web app.
这篇关于在 Azure 网站(Azure 应用服务)中启用 Access-Control-Allow-Credentials 标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
