Cross-Origin 请求被阻止:缺少 CORS header 'Access-Control-Allow-Origin'
Cross-Origin Request Blocked: CORS header 'Access-Control-Allow-Origin' missing
使用 Identity Server 3 我正在尝试根据 documentation 配置 CORS。当我执行 GET 请求时,我可以看到在 Fiddler 中捕获的响应是正确的并且缺少 Access-Control-Allow-Origin header.
这是用于设置 IdentityServerOptions 的代码:
public void Configuration(IAppBuilder app)
{
var factory = InMemoryFactory.Create(
clients: Clients.Get(),
scopes: Scopes.Get());
var viewOptions = new DefaultViewServiceOptions();
viewOptions.Stylesheets.Add("/Content/site.css");
viewOptions.Scripts.Add("/Content/logon.js");
viewOptions.CacheViews = false;
factory.ConfigureDefaultViewService(viewOptions);
// This is where the CORS policy service is configured.
var corsPolicyService = new DefaultCorsPolicyService();
corsPolicyService.AllowAll = true;
factory.CorsPolicyService = new Registration<ICorsPolicyService>(corsPolicyService);
var userService = new LocalRegistrationUserService();
factory.UserService = new Registration<IUserService>(resolver => userService);
var options = new IdentityServerOptions
{
SiteName = "IdentityServer",
SigningCertificate = this.certificateProvider.Certificate,
Factory = factory,
RequireSsl = true,
// This is deprecated, but should still work according to the documentation.
// However using or not using it makes no change.
// CorsPolicy = CorsPolicy.AllowAll,
ProtocolLogoutUrls = logoutUrls,
AuthenticationOptions = new AuthenticationOptions()
{
EnableSignOutPrompt = false,
EnablePostSignOutAutoRedirect = true,
PostSignOutAutoRedirectDelay = 5,
},
};
app.Map("/core", idsrvApp =>
{
idsrvApp.UseIdentityServer(options);
});
}
如果我随后从其他站点发出简单的 GET 请求,这就是我得到的响应:
HTTP/1.1 302 Found
Content-Length: 0
Location: https://federation.example.com/core/login?signin=2ce0b4f...71313af
Server: Microsoft-IIS/8.5
Set-Cookie: SignInMessage.2ce0b4f...A1D5NkPJQ; path=/core; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Mon, 13 Jul 2015 12:00:00 GMT
为什么 Access-Control-Allow-Origin header 没有被应用?
似乎在 Identity Server 3 中正确设置了 CORS 策略服务,但所请求的路径明确不可用 通过不同的服务器。
由日志记录表中的错误标识的请求路径是:
CORS request made for path: /connect/authorize from origin: null but rejected because invalid CORS path
我认为这是一项额外的安全措施,可防止恶意系统在未经用户同意的情况下登录用户。
因此,唯一可以调用此受保护路径的系统将在工厂的 Client.RedirectUris(对于隐式流)中定义。
使用 Identity Server 3 我正在尝试根据 documentation 配置 CORS。当我执行 GET 请求时,我可以看到在 Fiddler 中捕获的响应是正确的并且缺少 Access-Control-Allow-Origin header.
这是用于设置 IdentityServerOptions 的代码:
public void Configuration(IAppBuilder app)
{
var factory = InMemoryFactory.Create(
clients: Clients.Get(),
scopes: Scopes.Get());
var viewOptions = new DefaultViewServiceOptions();
viewOptions.Stylesheets.Add("/Content/site.css");
viewOptions.Scripts.Add("/Content/logon.js");
viewOptions.CacheViews = false;
factory.ConfigureDefaultViewService(viewOptions);
// This is where the CORS policy service is configured.
var corsPolicyService = new DefaultCorsPolicyService();
corsPolicyService.AllowAll = true;
factory.CorsPolicyService = new Registration<ICorsPolicyService>(corsPolicyService);
var userService = new LocalRegistrationUserService();
factory.UserService = new Registration<IUserService>(resolver => userService);
var options = new IdentityServerOptions
{
SiteName = "IdentityServer",
SigningCertificate = this.certificateProvider.Certificate,
Factory = factory,
RequireSsl = true,
// This is deprecated, but should still work according to the documentation.
// However using or not using it makes no change.
// CorsPolicy = CorsPolicy.AllowAll,
ProtocolLogoutUrls = logoutUrls,
AuthenticationOptions = new AuthenticationOptions()
{
EnableSignOutPrompt = false,
EnablePostSignOutAutoRedirect = true,
PostSignOutAutoRedirectDelay = 5,
},
};
app.Map("/core", idsrvApp =>
{
idsrvApp.UseIdentityServer(options);
});
}
如果我随后从其他站点发出简单的 GET 请求,这就是我得到的响应:
HTTP/1.1 302 Found
Content-Length: 0
Location: https://federation.example.com/core/login?signin=2ce0b4f...71313af
Server: Microsoft-IIS/8.5
Set-Cookie: SignInMessage.2ce0b4f...A1D5NkPJQ; path=/core; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Mon, 13 Jul 2015 12:00:00 GMT
为什么 Access-Control-Allow-Origin header 没有被应用?
似乎在 Identity Server 3 中正确设置了 CORS 策略服务,但所请求的路径明确不可用 通过不同的服务器。
由日志记录表中的错误标识的请求路径是:
CORS request made for path: /connect/authorize from origin: null but rejected because invalid CORS path
我认为这是一项额外的安全措施,可防止恶意系统在未经用户同意的情况下登录用户。
因此,唯一可以调用此受保护路径的系统将在工厂的 Client.RedirectUris(对于隐式流)中定义。