对 XMLHttpRequest 的访问已被 https 重定向中的 CORS 策略阻止,除非我清理浏览器

Access to XMLHttpRequest has been blocked by CORS policy in https redirect unless I clean browser

我有一个 angular + .net core 2.1 应用程序。仅使用 http 时效果很好,现在我想重定向到 https。 但是每次我启动应用程序登录时都出现错误

Access to XMLHttpRequest at ’https://appgee.mycompany.com:5001/’ from origin ’https://app.mysite.com:5001’ has been blocked by CORS policy: The ‘Access-Control-Allow-Origin’ header has a value ’https://app.mysite.com:5001’ that is not equal to the supplied origin

如果我清理浏览器数据,错误就消失了。但这对用户来说是不方便的。 我在 .net 核心中的代码:

services.AddCors(o => o.AddPolicy("CorsPolicy", builder => {
                builder
                .AllowAnyMethod()
                .AllowAnyHeader()
                .AllowCredentials()
                .AllowAnyOrigin();
            })); 




app.UseHttpsRedirection();

我使用 apigee 进行身份验证,在 angular 我将请求 header 设置为 api 请求 apigee 作为(在拦截器中):

SetHeaders: {
   Authorization: 'Bearer $ {token.access_token}',
   'Access-Control-Allow-Origin': '*',
   

你看我已经在前端和后端都允许 origin 了。但为什么会这样?

更新:

我拥有的 Apigee 目标端点

<HTTPTargetConnection>
     <Properties/>
     <URL>http://app.mysite.com:5001</URL>
</HTTPTargetConnection>
app.UseCors("CorsPolicy");

根据 https://weblog.west-wind.com/posts/2016/sep/26/aspnet-core-and-cors-gotchas

的讨论

@Kristian - the middleware order definitely matters, although you may be right that it has the important order is in the Configure() method, not ConfigureServices(). To be safe I make sure I have the CORS definition before MVC in both places. Checking now to see which one actually matters, or not at all. Several references mention this explicitly.

所以我把 UseCors 放在方法的第一行。