问题
I have a same domain, one of them is domain without prefix www. For example,
- https://www.example.com
- https://example.com
First domain works fine because it is default domain. But second one has gives error when I do CRUD or accessing any api service.
Access to XMLHttpRequest at 'https://www.example.com/hubCon/negotiate' from origin 'https://example.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
I tried the code in the article published by Microsoft, but it doesn't works.
I am using .Net Core 2.2 version. This is my Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy(MyAllowSpecificOrigins,
builder =>
{
builder.WithOrigins("https://example.com")
.AllowAnyMethod()
.AllowAnyHeader()
.AllowAnyOrigin()
.AllowCredentials();
});
});
services.AddMvc().AddJsonOptions(options =>
{
options.SerializerSettings.ReferenceLoopHandling = ReferenceLoopHandling.Ignore;
}).SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
services.AddSignalR();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
app.UseHsts();
}
app.UseCors(MyAllowSpecificOrigins);
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});
app.UseHttpsRedirection();
app.UseStatusCodePages();
app.UseStaticFiles();
app.UseAuthentication();
app.UseSignalR(routes =>
{
routes.MapHub<HubSignal>("/hubCon");
});
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}"
);
});
}
So, I couldn't understand why the project gives error.
Thanks for your answers.
回答1:
You can't use AllowAnyOrigin with AllowCredentials. Below is an example that allows wildcard domains with CORS.
This code goes in ConfigureServices:
services.AddCors(options =>
{
options.AddPolicy("_AllowOrigin",
builder => builder
.SetIsOriginAllowedToAllowWildcardSubdomains()
.WithOrigins("https://localhost:44385", "https://*.azurewebsites.net", "http://*.azurewebsites.net")
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials()
);
});
Don't forget to decorate your action in your controller:
[EnableCors("_AllowOrigin")]
回答2:
This happens because you have specified both:
- AllowAnyOrigin()
- AllowCredentials();
This configuration is not supported. See the doc:
Specifying AllowAnyOrigin and AllowCredentials is an insecure configuration and can result in cross-site request forgery. The CORS service returns an invalid CORS response when an app is configured with both methods.
You should remove the call to AllowAnyOrigin method
来源:https://stackoverflow.com/questions/57466671/cors-policy-has-been-blocked-my-subdomain