你知道,通常:CORS不起作用 . Chrome通过以下方式为我服务:
Fetch API无法加载https:// url-to-my-api-thing . 请求的资源上不存在“Access-Control-Allow-Origin”标头 . 因此,不允许来源“https:// url-to-the-origin-thing” . 如果不透明响应满足您的需求,请将请求的模式设置为“no-cors”以获取禁用CORS的资源 .
我有一个ASP.NET Web API 2应用程序,它使用OWIN管道并托管在IIS中 .
以下是我(尝试)在我的 Configuration
方法中设置CORS的方法:
// ... container setup above, CORS is the first middleware ...
var corsPolicyProvider = new CorsPolicyProvider(_corsOrigins, container.GetInstance<ILogger>);
app.UseCors(new CorsOptions
{
PolicyProvider = corsPolicyProvider
});
app.UseStageMarker(PipelineStage.Authenticate);
configuration.Services.Replace(typeof(IExceptionHandler), new PassThroughExceptionHandler());
configuration.MapHttpAttributeRoutes();
app.UseWebApi(configuration);
这是我的 CorsPolicyProvider
类的样子:
public class CorsPolicyProvider : ICorsPolicyProvider
{
private readonly Regex _corsOriginsRegex;
private readonly string _defaultCorsOrigin;
private readonly Func<ILogger> _scopedLoggerCreator;
public CorsPolicyProvider(string corsOrigins, Func<ILogger> scopedLoggerCreator)
{
_corsOriginsRegex = new Regex($"({corsOrigins})", RegexOptions.IgnoreCase);
_defaultCorsOrigin = corsOrigins?.Split('|').FirstOrDefault();
_scopedLoggerCreator = scopedLoggerCreator;
}
public Task<CorsPolicy> GetCorsPolicyAsync(IOwinRequest request)
{
var logger = _scopedLoggerCreator();
var allowedOrigin = _defaultCorsOrigin;
string[] origins;
request.Headers.TryGetValue("Origin", out origins);
var origin = origins?.FirstOrDefault();
if (origin != null && Uri.IsWellFormedUriString(origin, UriKind.Absolute) && _corsOriginsRegex.IsMatch(new Uri(origin).Host))
allowedOrigin = origins.FirstOrDefault();
var policy = new CorsPolicy
{
Origins = { allowedOrigin },
Methods = { HttpMethod.Get.Method, HttpMethod.Post.Method, HttpMethod.Put.Method, HttpMethod.Delete.Method },
Headers = { "accept", "content-type" },
SupportsCredentials = true,
PreflightMaxAge = 1728000
};
logger?.Verbose("Resolving CORS policy: {@CorsPolicy}", policy);
return Task.FromResult(policy);
}
}
为什么这个政策从未触发过,或者最好是故障?如果我在本地测试时设置断点并显式发送 OPTIONS
请求,则会输入 GetCorsPolicyAsync
方法,并按预期记录请求 . 但是当API在服务器上并且我尝试从Chrome中的网站调用它时,它从不记录请求,它只是告诉我没有CORS标头 .
1 回答
......就像发条一样,当我发布一些东西时,我找到了答案 . 有 was 一个CORS标头,并且请求 was 被记录,但环境配置错误,因此原始(因为它是一个不同的环境然后无效)被正确阻止,并且日志最终在错误的服务器上 . 修复了配置,它再次按预期工作 .