Access-Control-Allow-Origin 不允许来源 https://demo.example.com
Origin https://demo.example.com is not allowed by Access-Control-Allow-Origin
在 ASP.NET Core 2.2 API 上,我在 ConfigureServices 上有以下内容:
services.AddCors(x => {
x.AddPolicy("AllowAll", y => y.AllowAnyMethod().AllowAnyOrigin().AllowAnyHeader().AllowCredentials());
});
关于配置方法我有:
application.UseCors("AllowAll");
我将 API 发布到 Azure,域为:
https://api-demo.example.com
并且访问 API 的 Web 应用程序位于:
https://demo.example.com
但是我在 Web 应用程序上收到一条错误消息:
Origin https://demo.example.com is not allowed by Access-Control-Allow-Origin.
XMLHttpRequest cannot load https://api-demo.example.com/v1.0/posts due to access control checks.
Failed to load resource: Origin https://demo.example.com is not allowed by Access-Control-Allow-Origin.
AllowAll 不应该在这种情况下工作吗?我错过了什么?
更新
这是我在启动时的顺序:
application.UseHsts();
application.UseCors("AllowAll");
application.UseAuthentication();
application.UseHealthChecks("/health");
application.UseHttpsRedirection();
application.UseResponseCaching();
application.UseMvc();
Access-Control-Allow-Origin header 不支持通配符 * 与 Access-Control-Allow-Credentials
组合使用
来自 MDN 网络文档 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#Directives
For requests without credentials, the literal value "*" can be specified, as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials will result in an error.
在 ASP.NET Core 2.2 API 上,我在 ConfigureServices 上有以下内容:
services.AddCors(x => {
x.AddPolicy("AllowAll", y => y.AllowAnyMethod().AllowAnyOrigin().AllowAnyHeader().AllowCredentials());
});
关于配置方法我有:
application.UseCors("AllowAll");
我将 API 发布到 Azure,域为:
https://api-demo.example.com
并且访问 API 的 Web 应用程序位于:
https://demo.example.com
但是我在 Web 应用程序上收到一条错误消息:
Origin https://demo.example.com is not allowed by Access-Control-Allow-Origin.
XMLHttpRequest cannot load https://api-demo.example.com/v1.0/posts due to access control checks.
Failed to load resource: Origin https://demo.example.com is not allowed by Access-Control-Allow-Origin.
AllowAll 不应该在这种情况下工作吗?我错过了什么?
更新
这是我在启动时的顺序:
application.UseHsts();
application.UseCors("AllowAll");
application.UseAuthentication();
application.UseHealthChecks("/health");
application.UseHttpsRedirection();
application.UseResponseCaching();
application.UseMvc();
Access-Control-Allow-Origin header 不支持通配符 * 与 Access-Control-Allow-Credentials
来自 MDN 网络文档 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#Directives
For requests without credentials, the literal value "*" can be specified, as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials will result in an error.