我已经将项目更新为 core 2.2,看来CORS正在产生2.1中没有的问题.
I've updated my project to core 2.2 and it seems like CORS is making problems that weren't there in 2.1.
我正在以下URL上运行我的应用程序:*:5300
I'm running my app on this URL: *:5300
我已将此代码添加到Startup.cs:
public void ConfigureServices(IServiceCollection services) { ... services.AddCors(options => options.AddPolicy("MyPolicy", builder => { builder.AllowAnyOrigin() .AllowAnyMethod() .AllowCredentials() .AllowAnyHeader(); })); services.AddMvc(); ... } public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { ... app.UseCors(builder => { builder.AllowAnyOrigin() .AllowAnyMethod() .AllowCredentials() .AllowAnyHeader(); }); app.UseAuthentication(); app.UseMvc(); }这没有用,所以我在我的`BaseController'类上添加了[EnableCors]属性:
This didn't work, so I've added on top of it the [EnableCors] attribute on my `BaseController" class:
[EnableCors] [Authorize] [Produces("application/json")] [Route("api/[controller]")] public class BaseController : Controller { }但是我仍然收到此CORS错误:
But I'm still getting this CORS error:
通过" 192.168.15.63:5301/api/permissions/访问XMLHttpRequest来源" 192.168.15.63:5302 的UI "已被CORS阻止政策: 对预检请求的响应未通过访问控制检查: 当请求的凭据模式为"include"时,响应中"Access-Control-Allow-Origin"标头的值不得为通配符"*". XMLHttpRequest发起的请求的凭据模式由withCredentials属性控制.
Access to XMLHttpRequest at '192.168.15.63:5301/api/permissions/UI' from origin '192.168.15.63:5302' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
要完全删除CORS,我还能做什么?
What else can I do in order to completely remove CORS?
推荐答案
当请求的凭据模式为"include"时,响应中"Access-Control-Allow-Origin"标头的值不得为通配符"*".
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
使用ASP.NET Core响应CORS请求时,不能同时使用AllowAnyOrigin和AllowCredentials.
You cannot use both AllowAnyOrigin and AllowCredentials when using ASP.NET Core to respond to a CORS request.
通过" 192.168.15.63:5301/api/permissions/访问XMLHttpRequest来源" 192.168.15.63:5302 的UI "已被CORS阻止政策
Access to XMLHttpRequest at '192.168.15.63:5301/api/permissions/UI' from origin '192.168.15.63:5302' has been blocked by CORS policy
此消息表明您的服务器正在监听192.168.15.63:5301,但是您的客户端正在发出来自192.168.15.63:5302的请求.由于端口不同,因此来源不同,因此使用了CORS保护.
This message shows that your server is listening on 192.168.15.63:5301, but your client is making the request from 192.168.15.63:5302. Since the port is different, these are different origins and therefore CORS protection is used.
要允许请求成功,请将您的ASP.NET CORS配置代码更新为以下内容:
To allow the request to succeed, update your ASP.NET CORS configuration code to something like the following:
builder.WithOrigins("192.168.15.63:5302") .AllowAnyMethod() .AllowCredentials() .AllowAnyHeader();这将配置CORS支持的 client 的来源-当然,您可以根据需要将其作为配置选项添加到应用程序本身(例如使用appsettings.json).
This configures the origin of the client as being supported by CORS - you could, of course, add this as a configuration option to the application itself (using e.g. appsettings.json), if needed.
在旁边:
由于您已调用AddCors并配置了命名策略,因此没有理由在对UseCors的调用中配置相同的策略-您只需将先前配置的策略的名称传入:
As you've called AddCors and configured a named policy, there is no reason to configure the same policy in the call to UseCors - you can simply pass in the name of the policy you configured earlier with AddCors:
app.UseCors("MyPolicy");更多推荐
如何摆脱.NET Core 2.2中的CORS?
发布评论