WebAPI 控制器忽略 CORS
WebAPI Controller Ignoring CORS
我在 class 上有一个带有自定义 CORS 策略提供程序属性的 WebAPI 控制器。在定义属性时,我有以下构造函数。
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false)]
public class ConfiguredCORSPolicyProviderAttribute : ActionFilterAttribute, ICorsPolicyProvider
{
private CorsPolicy _policy;
public ConfiguredCORSPolicyProviderAttribute()
{
_policy = new CorsPolicy
{
AllowAnyMethod = true,
AllowAnyHeader = true
};
// If there are no domains in the 'CORSDomainSection' section in Web.config, all origins will be allowed by default.
var domains = (CORSDomainSection)ConfigurationManager.GetSection("CORSDomainSection");
if (domains != null)
{
foreach (DomainConfigElement domain in domains.Domains)
{
_policy.Origins.Add(domain.Domain);
}
}
else
{
_policy.AllowAnyOrigin = true;
}
}
public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request)
{
return Task.FromResult(_policy);
}
public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request, CancellationToken token)
{
return GetCorsPolicyAsync(request);
}
}
ConfigurationManager 获得一个列表(来自 Web.config),其中包含我想要允许发出请求的可接受的 origins/domains。
这段代码适当地处理了 "Access-Control-Allow-Origin" header,当请求源在列表中时添加它,如果不在列表中则拒绝它。但是无论如何,控制器中的代码仍然会被调用。
如果请求的来源不允许,为什么以及如何适当地阻止控制器执行?
更新 || [2016 年 4 月 12 日@12:30p]
我能够使用 OnActionExecuted 和 OnActionExecuting 方法覆盖的组合解决问题,代码如下。
/// <summary>
/// Executed after the action method is invoked.
/// </summary>
/// <param name="context">The context of the HTTP request.</param>
public override void OnActionExecuted(HttpActionExecutedContext context)
{
string requestOrigin;
try
{
requestOrigin = context.Request.Headers.GetValues("Origin").FirstOrDefault();
}
catch
{
requestOrigin = string.Empty;
}
if (IsAllowedOrigin(requestOrigin))
{
context.Response.Headers.Add("Access-Control-Allow-Origin", requestOrigin);
if (IsPreflight(context))
{
string allowedMethods = string.Empty;
string allowedHeaders = string.Empty;
if (Policy.AllowAnyMethod)
{
allowedMethods = context.Request.Headers.GetValues("Access-Control-Request-Method").FirstOrDefault();
}
else
{
foreach (var method in Policy.Methods)
{
if (Policy.Methods.IndexOf(method) == 0)
{
allowedMethods = method;
}
else
{
allowedMethods += string.Format(", {0}", method);
}
}
}
try
{
if (Policy.AllowAnyHeader)
{
allowedHeaders = context.Request.Headers.GetValues("Access-Control-Request-Headers").FirstOrDefault();
}
else
{
foreach (var header in Policy.Headers)
{
if (Policy.Headers.IndexOf(header) == 0)
{
allowedHeaders = header;
}
else
{
allowedHeaders += string.Format(", {0}", header);
}
}
}
context.Response.Headers.Add("Access-Control-Allow-Headers", allowedHeaders);
}
catch
{
// Do nothing.
}
context.Response.Headers.Add("Access-Control-Allow-Methods", allowedMethods);
}
}
base.OnActionExecuted(context);
}
/// <summary>
/// Executed before the action method is invoked.
/// </summary>
/// <param name="context">The context of the HTTP request.</param>
public override void OnActionExecuting(HttpActionContext context)
{
string requestOrigin;
try
{
requestOrigin = context.Request.Headers.GetValues("Origin").FirstOrDefault();
}
catch
{
requestOrigin = string.Empty;
}
if (IsAllowedOrigin(requestOrigin))
{
base.OnActionExecuting(context);
}
else
{
context.ModelState.AddModelError("State", "The origin of the request is forbidden from making requests.");
context.Response = context.Request.CreateErrorResponse(HttpStatusCode.Forbidden, context.ModelState);
}
}
private bool IsAllowedOrigin(string requestOrigin)
{
requestOrigin = requestOrigin.Replace("https://", "").Replace("http://", "");
if (System.Diagnostics.Debugger.IsAttached || PolicyContains(requestOrigin))
{
return true;
}
else
{
return false;
}
}
private bool PolicyContains(string requestOrigin)
{
foreach (var domain in _policy.Origins)
{
if (domain.Replace("https://", "").Replace("http://", "") == requestOrigin)
{
return true;
}
}
return false;
}
private bool IsPreflight(HttpActionExecutedContext context)
{
string header = string.Empty;
try
{
header = context.Request.Headers.GetValues("Access-Control-Request-Method").FirstOrDefault();
}
catch
{
return false;
}
if (header != null && context.Request.Method == HttpMethod.Options)
{
return true;
}
else
{
return false;
}
}
CORS headers 预计不会阻止对控制器的调用 - 即,如果本机客户端(几乎所有不是浏览器的东西)调用它应该默认处理的方法。
如果您真的需要阻止此类调用 - 在 OnActionExecutingAsync 中调用控制器之前执行类似的检查。
我在 class 上有一个带有自定义 CORS 策略提供程序属性的 WebAPI 控制器。在定义属性时,我有以下构造函数。
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false)]
public class ConfiguredCORSPolicyProviderAttribute : ActionFilterAttribute, ICorsPolicyProvider
{
private CorsPolicy _policy;
public ConfiguredCORSPolicyProviderAttribute()
{
_policy = new CorsPolicy
{
AllowAnyMethod = true,
AllowAnyHeader = true
};
// If there are no domains in the 'CORSDomainSection' section in Web.config, all origins will be allowed by default.
var domains = (CORSDomainSection)ConfigurationManager.GetSection("CORSDomainSection");
if (domains != null)
{
foreach (DomainConfigElement domain in domains.Domains)
{
_policy.Origins.Add(domain.Domain);
}
}
else
{
_policy.AllowAnyOrigin = true;
}
}
public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request)
{
return Task.FromResult(_policy);
}
public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request, CancellationToken token)
{
return GetCorsPolicyAsync(request);
}
}
ConfigurationManager 获得一个列表(来自 Web.config),其中包含我想要允许发出请求的可接受的 origins/domains。
这段代码适当地处理了 "Access-Control-Allow-Origin" header,当请求源在列表中时添加它,如果不在列表中则拒绝它。但是无论如何,控制器中的代码仍然会被调用。
如果请求的来源不允许,为什么以及如何适当地阻止控制器执行?
更新 || [2016 年 4 月 12 日@12:30p]
我能够使用 OnActionExecuted 和 OnActionExecuting 方法覆盖的组合解决问题,代码如下。
/// <summary>
/// Executed after the action method is invoked.
/// </summary>
/// <param name="context">The context of the HTTP request.</param>
public override void OnActionExecuted(HttpActionExecutedContext context)
{
string requestOrigin;
try
{
requestOrigin = context.Request.Headers.GetValues("Origin").FirstOrDefault();
}
catch
{
requestOrigin = string.Empty;
}
if (IsAllowedOrigin(requestOrigin))
{
context.Response.Headers.Add("Access-Control-Allow-Origin", requestOrigin);
if (IsPreflight(context))
{
string allowedMethods = string.Empty;
string allowedHeaders = string.Empty;
if (Policy.AllowAnyMethod)
{
allowedMethods = context.Request.Headers.GetValues("Access-Control-Request-Method").FirstOrDefault();
}
else
{
foreach (var method in Policy.Methods)
{
if (Policy.Methods.IndexOf(method) == 0)
{
allowedMethods = method;
}
else
{
allowedMethods += string.Format(", {0}", method);
}
}
}
try
{
if (Policy.AllowAnyHeader)
{
allowedHeaders = context.Request.Headers.GetValues("Access-Control-Request-Headers").FirstOrDefault();
}
else
{
foreach (var header in Policy.Headers)
{
if (Policy.Headers.IndexOf(header) == 0)
{
allowedHeaders = header;
}
else
{
allowedHeaders += string.Format(", {0}", header);
}
}
}
context.Response.Headers.Add("Access-Control-Allow-Headers", allowedHeaders);
}
catch
{
// Do nothing.
}
context.Response.Headers.Add("Access-Control-Allow-Methods", allowedMethods);
}
}
base.OnActionExecuted(context);
}
/// <summary>
/// Executed before the action method is invoked.
/// </summary>
/// <param name="context">The context of the HTTP request.</param>
public override void OnActionExecuting(HttpActionContext context)
{
string requestOrigin;
try
{
requestOrigin = context.Request.Headers.GetValues("Origin").FirstOrDefault();
}
catch
{
requestOrigin = string.Empty;
}
if (IsAllowedOrigin(requestOrigin))
{
base.OnActionExecuting(context);
}
else
{
context.ModelState.AddModelError("State", "The origin of the request is forbidden from making requests.");
context.Response = context.Request.CreateErrorResponse(HttpStatusCode.Forbidden, context.ModelState);
}
}
private bool IsAllowedOrigin(string requestOrigin)
{
requestOrigin = requestOrigin.Replace("https://", "").Replace("http://", "");
if (System.Diagnostics.Debugger.IsAttached || PolicyContains(requestOrigin))
{
return true;
}
else
{
return false;
}
}
private bool PolicyContains(string requestOrigin)
{
foreach (var domain in _policy.Origins)
{
if (domain.Replace("https://", "").Replace("http://", "") == requestOrigin)
{
return true;
}
}
return false;
}
private bool IsPreflight(HttpActionExecutedContext context)
{
string header = string.Empty;
try
{
header = context.Request.Headers.GetValues("Access-Control-Request-Method").FirstOrDefault();
}
catch
{
return false;
}
if (header != null && context.Request.Method == HttpMethod.Options)
{
return true;
}
else
{
return false;
}
}
CORS headers 预计不会阻止对控制器的调用 - 即,如果本机客户端(几乎所有不是浏览器的东西)调用它应该默认处理的方法。
如果您真的需要阻止此类调用 - 在 OnActionExecutingAsync 中调用控制器之前执行类似的检查。