CORS Chrome 通配符 '*' Angular 8?
CORS Chrome wildcard '*' Angular 8?
我仅在 Chrome 中收到以下消息 CORS,Mozilla 工作正常:
Access to XMLHttpRequest at 'http://localhost:8002/dataHub/negotiate'
from origin 'http://172.16.30.79:4200' has been blocked by CORS
policy: Response to preflight request doesn't pass access control
check: The value of the 'Access-Control-Allow-Origin' header in the
response must not be the wildcard '*' when the request's credentials
mode is 'include'. The credentials mode of requests initiated by the
XMLHttpRequest is controlled by the withCredentials attribute.
服务器 returns 我这些 headers:
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: x-requested-with,Vary,Server,Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Access-Control-Allow-Headers,Access-Control-Allow-Methods,Date
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Vary, Server, Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Date
Content-Type: application/json; charset=utf-8
Date: Mon, 23 Sep 2019 18:32:09 GMT
Server: Microsoft-IIS/10.0
Vary: Origin
X-Content-Type-Options: nosniff
我使用 SignalR 的连接是:
this.connection = new signalR.HubConnectionBuilder()
.configureLogging(signalR.LogLevel.Debug)
.withUrl("http://localhost:8002/dataHub")
.build();
this.connection
.start({withCredentials: false})
.then(() => {
});
如您所见,服务器发送了一个 header:
Access-Control-Allow-Origin: *
我在 Mozilla 中看到 Access-Control-Allow-Origin: http://172.16.30.79:4200
为什么 Chrome 在 Access-Control-Allow-Origin: * 上替换 Access-Control-Allow-Origin: http://172.16.30.79:4200 我不知道。
在你的 Configuration 上:
//Configure CORS policy
services.AddCors(options =>
{
options.AddPolicy("CorsPolicy",
builder => builder.WithOrigins("http://172.16.30.79:4200")
.SetIsOriginAllowed((host) => true)
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials());
});
然后 Configure:
//Cors Policy
app.UseCors("CorsPolicy");
我仅在 Chrome 中收到以下消息 CORS,Mozilla 工作正常:
Access to XMLHttpRequest at 'http://localhost:8002/dataHub/negotiate' from origin 'http://172.16.30.79:4200' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
服务器 returns 我这些 headers:
Access-Control-Allow-Credentials: false
Access-Control-Allow-Headers: x-requested-with,Vary,Server,Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Access-Control-Allow-Headers,Access-Control-Allow-Methods,Date
Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: Vary, Server, Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Date
Content-Type: application/json; charset=utf-8
Date: Mon, 23 Sep 2019 18:32:09 GMT
Server: Microsoft-IIS/10.0
Vary: Origin
X-Content-Type-Options: nosniff
我使用 SignalR 的连接是:
this.connection = new signalR.HubConnectionBuilder()
.configureLogging(signalR.LogLevel.Debug)
.withUrl("http://localhost:8002/dataHub")
.build();
this.connection
.start({withCredentials: false})
.then(() => {
});
如您所见,服务器发送了一个 header:
Access-Control-Allow-Origin: *
我在 Mozilla 中看到 Access-Control-Allow-Origin: http://172.16.30.79:4200
为什么 Chrome 在 Access-Control-Allow-Origin: * 上替换 Access-Control-Allow-Origin: http://172.16.30.79:4200 我不知道。
在你的 Configuration 上:
//Configure CORS policy
services.AddCors(options =>
{
options.AddPolicy("CorsPolicy",
builder => builder.WithOrigins("http://172.16.30.79:4200")
.SetIsOriginAllowed((host) => true)
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials());
});
然后 Configure:
//Cors Policy
app.UseCors("CorsPolicy");