为什么 DELETE 请求在项目发布到 IIS 后被 ASP.NET Core 3.1 上的 CORS 策略阻止?
Why DELETE request blocked by CORS policy on ASP.NET Core 3.1 after project published to IIS?
我有一个 angular 9 前端项目。实际上它正在工作,但后来我向我的 angular 项目“ngx-saveAs”和“saveAS”添加了一些 NPM 包,但我不确定这是相关原因。有什么想法可以帮助我发现它受到赞赏吗?
这是我的创业公司:
services.AddCors(o => o.AddPolicy("MyPolicy", builder =>
{
builder.WithOrigins("http://localhost:4200",
"https://localhost:4200",
"http://192.168.10.82",
"http://192.168.10.82:4200",
"https://192.168.10.82",
"https://192.168.10.82:4200",
"192.168.10.82",
"192.168.10.82:4200",
"192.168.10.164",
"192.168.10.163",
"http://192.168.10.163:64534",
"http://192.168.10.163:64535",
"http://192.168.10.164",
"http://192.168.10.164/",
"https://192.168.10.164",
"http://192.168.10.164:4200",
"http://192.168.10.164:4200/",
"https://192.168.10.164:4200",
"http://192.168.10.163:64534/",
"http://192.168.10.163:64535/"
).WithMethods("GET", "POST", "DELETE", "PUT")
.AllowAnyMethod().WithExposedHeaders("X-Pagination")
.AllowAnyHeader().AllowCredentials();
}));
错误是:
Access to XMLHttpRequest at 'http://192.168.10.163:64535/api/v1/Formula/24' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
和:DELETE http://192.168.10.163:64535/api/v1/Formula/24 net::ERR_FAILED
和:
ERROR
Error: خطا در برقراری ارتباط با سرور at ApiErrorHandlerService.handleError (http://localhost:4200/main.js:10307:27) at CatchSubscriber.selector (http://localhost:4200/main.js:10400:177) at CatchSubscriber.error (http://localhost:4200/vendor.js:285330:31) at FilterSubscriber._error (http://localhost:4200/vendor.js:282590:26) at FilterSubscriber.error (http://localhost:4200/vendor.js:282570:18) at MergeMapSubscriber.notifyError
问题
您的 CORS 配置有两个主要问题:
- 您正在呼叫
WithMethods,然后是 AllowAnyMethod。从 the aspnetcore source code, the latter cancels the former and results in an Access-Control-Allow-Methods: * header in responses to preflight requests. However, the asterisk (*) in that header only works as a wildcard for non-credentialed requests 可以明显看出。并且您的服务器需要经过认证的请求,因为您也在调用 AllowCredentials.
- 您正在呼叫
AllowAnyHeader。这个results in an Access-Control-Allow-Headers: * header in responses to preflight requests. However, again (same as in 1.), the asterisk (*) in that header only works as a wildcard for non-credentialed requests.
所有这些在MDN's page on CORS上都有清楚的解释,您应该花时间仔细阅读。
解决方案
如果调用AllowCredentials,则不能调用AllowAnyHeader或AllowAnyMethod(或AllowAnyOrigin)。您必须明确指定允许的方法和 headers。像这样:
builder
.WithOrigins("http://localhost:4200")
.WithMethods("GET", "POST", "DELETE", "PUT")
.WithHeaders() // <--- list the allowed headers here
.AllowCredentials()
.WithExposedHeaders("X-Pagination");
我有一个 angular 9 前端项目。实际上它正在工作,但后来我向我的 angular 项目“ngx-saveAs”和“saveAS”添加了一些 NPM 包,但我不确定这是相关原因。有什么想法可以帮助我发现它受到赞赏吗? 这是我的创业公司:
services.AddCors(o => o.AddPolicy("MyPolicy", builder =>
{
builder.WithOrigins("http://localhost:4200",
"https://localhost:4200",
"http://192.168.10.82",
"http://192.168.10.82:4200",
"https://192.168.10.82",
"https://192.168.10.82:4200",
"192.168.10.82",
"192.168.10.82:4200",
"192.168.10.164",
"192.168.10.163",
"http://192.168.10.163:64534",
"http://192.168.10.163:64535",
"http://192.168.10.164",
"http://192.168.10.164/",
"https://192.168.10.164",
"http://192.168.10.164:4200",
"http://192.168.10.164:4200/",
"https://192.168.10.164:4200",
"http://192.168.10.163:64534/",
"http://192.168.10.163:64535/"
).WithMethods("GET", "POST", "DELETE", "PUT")
.AllowAnyMethod().WithExposedHeaders("X-Pagination")
.AllowAnyHeader().AllowCredentials();
}));
错误是:
Access to XMLHttpRequest at 'http://192.168.10.163:64535/api/v1/Formula/24' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
和:DELETE http://192.168.10.163:64535/api/v1/Formula/24 net::ERR_FAILED
和:
ERROR
Error: خطا در برقراری ارتباط با سرور at ApiErrorHandlerService.handleError (http://localhost:4200/main.js:10307:27) at CatchSubscriber.selector (http://localhost:4200/main.js:10400:177) at CatchSubscriber.error (http://localhost:4200/vendor.js:285330:31) at FilterSubscriber._error (http://localhost:4200/vendor.js:282590:26) at FilterSubscriber.error (http://localhost:4200/vendor.js:282570:18) at MergeMapSubscriber.notifyError
问题
您的 CORS 配置有两个主要问题:
- 您正在呼叫
WithMethods,然后是AllowAnyMethod。从 the aspnetcore source code, the latter cancels the former and results in anAccess-Control-Allow-Methods: *header in responses to preflight requests. However, the asterisk (*) in that header only works as a wildcard for non-credentialed requests 可以明显看出。并且您的服务器需要经过认证的请求,因为您也在调用AllowCredentials. - 您正在呼叫
AllowAnyHeader。这个results in anAccess-Control-Allow-Headers: *header in responses to preflight requests. However, again (same as in 1.), the asterisk (*) in that header only works as a wildcard for non-credentialed requests.
所有这些在MDN's page on CORS上都有清楚的解释,您应该花时间仔细阅读。
解决方案
如果调用AllowCredentials,则不能调用AllowAnyHeader或AllowAnyMethod(或AllowAnyOrigin)。您必须明确指定允许的方法和 headers。像这样:
builder
.WithOrigins("http://localhost:4200")
.WithMethods("GET", "POST", "DELETE", "PUT")
.WithHeaders() // <--- list the allowed headers here
.AllowCredentials()
.WithExposedHeaders("X-Pagination");