问题
I have a project using web api and one using asp.net mvc. They are configured using CORS module.
The project using Web Api is configured to allow any origin because it's deployed on Azure and it's an OData endpoint, so we don't know who is going to consume it.
OData endpoint configuration
// inside configuration
config.EnableCors();
// controllers
[EnableCors(origins: "*", headers: "*", methods: "*")]
[Authorize]
[HttpPost]
public void ...
From my MVC client, using Angular $http we issue an authenticated request using Bearer token which looks like this one:
Request sent
Request URL:http://myodata.com/Products
Request Method:GET
Status Code:200 OK
Remote Address:123.123.123.123
And this is the header sent
Host: myodata.com
Authorization: bearer 123-ABC
Origin: http://myclient.com
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
Referer: http://myclient.com/
The problem lays in the response as you can see here:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Because after we upgraded from 5.2.2 to 5.2.3 the CORS module is sending out Access-Control-Allow-Origin: *
And clearly, from the browser, we get this error:
XMLHttpRequest cannot load http://myodata.com/Products.
The value of the 'Access-Control-Allow-Origin' header
in the response must not be the wildcard '*'
when the request's credentials mode is 'include'.
Origin 'http://myclient.com' is therefore not allowed access.
The credentials mode of requests initiated by the XMLHttpRequest
is controlled by the withCredentials attribute.
But the call succeed actually, it bombs on the Angular side. We didn't have this issue until today, after we upgraded from 5.2.2 to 5.2.3
回答1:
One thing you can try is to set the header using the URL Rewrite Module, by adding the following to your Web.config or ApplicationHost.config file in %SystemDrive%\inetpub\wwwroot\.
<configuration>
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Make Access-Control-Allow-Origin echo Origin">
<match serverVariable="RESPONSE_Access-Control-Allow-Origin"
pattern=".+" negate="true" />
<action type="Rewrite" value="{HTTP_ORIGIN}" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
If the above doesn’t work, then you can try the version in the answer over at CORS in IIS issue with credentials and wildcard in Access-Control-Allow-Origin.
Another approach to try is, in the global.asax or other code for your service, add something like:
if (ValidateRequest()) {
Response.Headers.Remove("Access-Control-Allow-Origin");
Response.AddHeader("Access-Control-Allow-Origin", Request.Headers["origin"]);
Response.Headers.Remove("Access-Control-Allow-Credentials");
Response.AddHeader("Access-Control-Allow-Credentials", "true");
Response.Headers.Remove("Access-Control-Allow-Methods");
Response.AddHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
}
...the most important part of that being this:
Response.AddHeader("Access-Control-Allow-Origin", Request.Headers["origin"]);
In either case the end effect should be that your backend takes the value of the Origin request header and echoes it back as the value of the Access-Control-Allow-Origin response header.
来源:https://stackoverflow.com/questions/42296323/after-upgrade-to-asp-net-5-2-3-cors-isnt-working-for-origins