我有一个方案是从http发送ajax post请求到https(出于某些复杂的原因必须这样做),我需要为了cookie而传递凭据。
我在服务器端使用Web Api,使用NuGet包Microsoft.AspNet.WebApi.Cors来启用Cors请求。
客户端的代码:
$.ajax({ url: 'https://www.sitename.com/api/xxx', type: 'post', data: { '': 1 }, headers: { '__AntiXsrfTokenKey': 'whatevertokenhere' }, xhrFields: { withCredentials: true }, dataType: 'json', success: function (data) { } });Web Api设置:
config.EnableCors();控制器的EnableCors属性:
[EnableCors(origins: "http://www.sitename.com", headers: "*", methods: "*", SupportsCredentials = true)] public class XXXController : ApiController预检请求标题:
Access-Control-Request-Headers: accept, __AntiXsrfTokenKey, content-type Access-Control-Request-Method: POST Origin: http://www.sitename.com响应头:
Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: __AntiXsrfTokenKey,content-type Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS Access-Control-Allow-Origin: *问题很明显,Access-Control-Allow-Origin标头返回一个通配符*,而不是我在控制器' http://www.sitename.com '的属性中指定的请求源。 所以我最终得到了错误:
A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://www.sitename.com' is therefore not allowed access.有没有人知道为什么这种行为以及如何在EnableCors属性中正确设置Access-Control-Allow-Origin域?
I have one scenario to send an ajax post request from http to https (have to do that for some complex reasons), and I need to pass credentials for the sake of cookies.
I use Web Api in server side, with NuGet package Microsoft.AspNet.WebApi.Cors to enable Cors request.
The code in client side:
$.ajax({ url: 'https://www.sitename.com/api/xxx', type: 'post', data: { '': 1 }, headers: { '__AntiXsrfTokenKey': 'whatevertokenhere' }, xhrFields: { withCredentials: true }, dataType: 'json', success: function (data) { } });Web Api settings:
config.EnableCors();EnableCors attribute for controller:
[EnableCors(origins: "http://www.sitename.com", headers: "*", methods: "*", SupportsCredentials = true)] public class XXXController : ApiControllerThe preflight request header:
Access-Control-Request-Headers: accept, __AntiXsrfTokenKey, content-type Access-Control-Request-Method: POST Origin: http://www.sitename.comThe response header:
Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: __AntiXsrfTokenKey,content-type Access-Control-Allow-Methods: GET, PUT, POST, DELETE, OPTIONS Access-Control-Allow-Origin: *The problem is clearly that Access-Control-Allow-Origin header is returning a wildcard *, instead of the request origin which I specified in the attribute of the controller 'http://www.sitename.com'. So I end up of the error:
A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://www.sitename.com' is therefore not allowed access.Does any one know why is that behavior and how I can set the Access-Control-Allow-Origin domain correctly in the EnableCors attribute?
最满意答案
好的,终于在system.webServer中的web.config中找到了这个
<rewrite> <outboundRules> <rule name="Set Access-Control-Allow-Origin header"> <match serverVariable="RESPONSE_Access-Control-Allow-Origin" pattern="(.*)" /> <action type="Rewrite" value="*" /> </rule> </outboundRules> </rewrite>Ok, finally found this in web.config within system.webServer
<rewrite> <outboundRules> <rule name="Set Access-Control-Allow-Origin header"> <match serverVariable="RESPONSE_Access-Control-Allow-Origin" pattern="(.*)" /> <action type="Rewrite" value="*" /> </rule> </outboundRules> </rewrite>更多推荐
sitename,www,true,Access-Control-Allow-Origin,电脑培训,计算机培训,IT培训"/> <
发布评论