Core 2.1 拒绝使用 Access-Control-Expose-Headers 响应:*

问题描述

我一定是在这里做错了，但我想不通；据我所知，这似乎是一个 CORS 问题.我需要将 Access-Control-Expose-Headers: * 暴露给任何来源，但 dotnet core 2.1 没有达到我的预期.

I must be doing something wrong here but I can't figure it out; it seems to be a CORS issue from what I can tell. I need to expose Access-Control-Expose-Headers: * to any origin but dotnet core 2.1 isn't doing what I expect.

相关Startup.cs代码:

Relevant Startup.cs code:

        public void ConfigureServices(IServiceCollection services)
        {
            //Mapping settings to POCO and registering with container
            var settings = new AppSettings.ReportStorageAccountSettings();
            Configuration.Bind(nameof(AppSettings.ReportStorageAccountSettings), settings);

            services.AddCors(options =>
            {
                options.AddPolicy("AllowAll",
                    builder =>
                    {
                        builder
                            .AllowAnyHeader()
                            .AllowAnyMethod()
                            .AllowAnyOrigin()
                            .AllowCredentials();
                    });
            });
            services.AddSingleton(settings);
            services.AddApiVersioning();
            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseHsts();
            }

            app.UseCors("AllowAll");
            app.UseHttpsRedirection();
            app.UseMvc();
        }

此应用程序托管在 Azure 中，我在 Azure 中的 CORS 设置中添加了一个 * 条目，只是为了更好地衡量.现在，每当客户端应用程序(也托管在 Azure 中)发出发布请求时，都无法通过 JS 访问标头，并且响应中不存在 Access-Control-Expose-Headers: *.但是，当我检查网络响应和使用 Fiddler 时，我可以看到标头.我已经尝试使用 Axios 和 Jquery 来访问标题以排除 JS 的任何问题.我在这里做错了什么?

This application is hosted in Azure and I have added a * entry to the CORS settings in Azure just for good measure. Now, whenever the client application (which is also hosted in Azure) makes a post request, the headers are not accessible via JS and Access-Control-Expose-Headers: * is not present in the response. However, I can see the headers when I inspect the network response and when using Fiddler. I have tried Axios and Jquery for accessing the headers to rule out any issues with the JS. What am I doing wrong here?

在控制器中我回复:

 Response.Headers.Add("Location", $"api/someLocation");
 return StatusCode(StatusCodes.Status202Accepted);

推荐答案

CorsPolicyBuilder 的 AllowAnyHeader 方法配置 Access-Control-Allow-Headers 响应头，即仅用于 预检请求.Access-Control-Expose-Headers 响应头是需要的，使用 WithExposedHeaders.

这是一个完整的例子:

services.AddCors(options =>
{
    options.AddPolicy("AllowAll", builder =>
    {
        builder.AllowAnyHeader()
               .AllowAnyMethod()
               .AllowAnyOrigin()
               .AllowCredentials()
               .WithExposedHeaders("Location"); // params string[]
    });
});

这篇关于Core 2.1 拒绝使用 Access-Control-Expose-Headers 响应:*的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持跟版网！