我有这个应用程序,我想在 Web.Config 中设置我的自定义标头,唉,这并不总是万无一失的.
I have this App where I would like to set my custom headers in the Web.Config, alas this is not always fool proof.
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="*" />
<add name="Access-Control-Allow-Headers" value="*" />
</customHeaders>
上面的集合和它的迭代如
The above set and iterations of it such as
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="OPTIONS,GET,PUT,DELETE,POST" />
<add name="Access-Control-Allow-Headers" value="Authorization,Content-Type" />
</customHeaders>
在所有情况下都没有为我工作.截至目前,此设置在大约 50% 的测试机器中有效,并在其他机器中提供 405 Method Not Allowed
.
has not worked worked for me in all scenario's. As of now this setting works in about 50% of the test machines and gives 405 Method Not Allowed
in others.
替代方法是在 WebApiConfig.cs
中设置此项,并在 Web.config
中取消注释自定义标头.
The alternative is set this in WebApiConfig.cs
and uncomment the custom headers in Web.config
.
//Web API Cross origin requests - Enable
var cors = new EnableCorsAttribute("*", "*", "*");
config.EnableCors(cors);
为什么会有这么多的歧义,我如何确定 CORS
会一直在哪里工作?我真的对在 Web.config
上设置 CORS 非常感兴趣,因为我希望在部署的版本中灵活地修改它.
Why is there so much ambiguity in this and how do I know for sure where CORS
will work all the time? I am really interested in setting CORS on Web.config
only as I would like the flexibility of modifying it in the deployed version.
我相信你的随机"问题是因为你没有处理预检 Options
requestsPUT
和 Delete
动词.
I believe that your 'random' issue occurs because you are not handling the preflight Options
requests for PUT
and Delete
verbs.
对于上面提到的两个动词,一个额外的request被生成,Options
,Web API
需要响应以确认它确实配置为支持 CORS
.
For the two verbs mentioned above an extra request is generated, Options
, to which Web API
needs to respond in order to confirm that it is indeed configured to support CORS
.
要处理这个问题,您需要做的就是发回一个空响应.您可以在您的操作中执行此操作,也可以像这样在全局范围内执行此操作:
To handle this, all you need to do is send an empty response back. You can do this inside your actions, or you can do it globally like this:
protected void Application_BeginRequest()
{
if (Request.Headers.AllKeys.Contains("Origin") && Request.HttpMethod == "OPTIONS")
{
Response.Flush();
}
}
添加了这个额外的检查以确保旧的 API
设计为只接受 GET
和 POST
请求不会被利用.想象一下,当这个 动词 不存在时,向 API
发送 DELETE
请求.结果是不可预测的,结果可能是危险的.
This extra check was added to ensure that old APIs
that were designed to accept only GET
and POST
requests will not be exploited. Imagine sending a DELETE
request to an API
designed when this verb didn't exist. The outcome is unpredictable and the results might be dangerous.
另外,在 web.config
中,您应该指定方法而不是使用 *
Also, in web.config
, you should specify the methods instead of using *
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
</customHeaders>
</httpProtocol>
这篇关于ASP.NET 中的 CORS 问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!