ASP.NET 中的 CORS 问题 [英] Issues with CORS in ASP.NET

问题描述

我有这个应用程序，我想在 Web.Config 中设置我的自定义标头，唉，这并不总是万无一失的.

I have this App where I would like to set my custom headers in the Web.Config, alas this is not always fool proof.

  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Methods" value="*" />
    <add name="Access-Control-Allow-Headers" value="*" />
  </customHeaders>

上面的集合和它的迭代如

The above set and iterations of it such as

  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Methods" value="OPTIONS,GET,PUT,DELETE,POST" />
    <add name="Access-Control-Allow-Headers" value="Authorization,Content-Type" />
  </customHeaders>

在所有情况下都没有为我工作.截至目前，此设置在大约 50% 的测试机器中有效，并在其他机器中提供 405 Method Not Allowed.

has not worked worked for me in all scenario's. As of now this setting works in about 50% of the test machines and gives 405 Method Not Allowed in others.

替代方法是在 WebApiConfig.cs 中设置此项，并在 Web.config 中取消注释自定义标头.

The alternative is set this in WebApiConfig.cs and uncomment the custom headers in Web.config.

//Web API Cross origin requests - Enable
  var cors = new EnableCorsAttribute("*", "*", "*");
  config.EnableCors(cors);

为什么会有这么多的歧义，我如何确定 CORS 会一直在哪里工作?我真的对在 Web.config 上设置 CORS 非常感兴趣，因为我希望在部署的版本中灵活地修改它.

Why is there so much ambiguity in this and how do I know for sure where CORS will work all the time? I am really interested in setting CORS on Web.config only as I would like the flexibility of modifying it in the deployed version.

推荐答案

我相信你的随机"问题是因为你没有处理预检 Options requestsPUT 和 Delete 动词.

I believe that your 'random' issue occurs because you are not handling the preflight Options requests for PUT and Delete verbs.

对于上面提到的两个动词，一个额外的request被生成，Options，Web API需要响应以确认它确实配置为支持 CORS.

For the two verbs mentioned above an extra request is generated, Options, to which Web API needs to respond in order to confirm that it is indeed configured to support CORS.

要处理这个问题，您需要做的就是发回一个空响应.您可以在您的操作中执行此操作，也可以像这样在全局范围内执行此操作:

To handle this, all you need to do is send an empty response back. You can do this inside your actions, or you can do it globally like this:

protected void Application_BeginRequest()
{
    if (Request.Headers.AllKeys.Contains("Origin") && Request.HttpMethod == "OPTIONS")
    {
        Response.Flush();
    }
}

添加了这个额外的检查以确保旧的 API 设计为只接受 GET 和 POST 请求不会被利用.想象一下，当这个 动词 不存在时，向 API 发送 DELETE 请求.结果是不可预测的，结果可能是危险的.

This extra check was added to ensure that old APIs that were designed to accept only GET and POST requests will not be exploited. Imagine sending a DELETE request to an API designed when this verb didn't exist. The outcome is unpredictable and the results might be dangerous.

另外，在 web.config 中，您应该指定方法而不是使用 *

Also, in web.config, you should specify the methods instead of using *

<httpProtocol>
  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Headers" value="Content-Type" />
    <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
  </customHeaders>
 </httpProtocol>

这篇关于ASP.NET 中的 CORS 问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！