问题描述
我有类似下面的自定义CORS政策,在这里我设置支持的凭据为false
i have a custom cors policy like below, where I am setting support-credentials to false
public class CorsProviderFactory : ICorsPolicyProviderFactory
{
//https://msdn.microsoft.com/en-us/magazine/dn532203.aspx
public ICorsPolicyProvider GetCorsPolicyProvider(
HttpRequestMessage request)
{
return new CorsPolicyProviderCustom();
}
public class CorsPolicyProviderCustom : Attribute, ICorsPolicyProvider
{
private readonly CorsPolicy _policy;
public CorsPolicyProviderCustom()
{
// Create a CORS policy.
_policy = new CorsPolicy
{
AllowAnyMethod = true,
AllowAnyHeader = true,
AllowAnyOrigin = true,
SupportsCredentials = false
};
// Magic line right here
_policy.Origins.Add("*");
_policy.Methods.Add("*");
}
public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
return Task.FromResult(_policy);
}
}
}
,并用它喜欢的:
and used it like :
public static HttpConfiguration Register()
{
var config = new HttpConfiguration();
config.SetCorsPolicyProviderFactory(new CorsProviderFactory());
config.EnableCors();
.................
}
但即使如此,在邮递员响应我明白了,支持的凭据为真
but even then in the postman response i see, support-credentials as true
我如何能得到支持的凭据为假,断点确实达到自定义策略的一部分,所以那为什么它不工作:(
how can I get support-credentials as false, the breakpoint does reaches to the custom policy part, so why is it that its not working :(
推荐答案
有关安全考虑,您不能使用接入控制允许Credentails
与访问控制允许来源
设置为 *
。
For security reasons you can not use Access-Control-Allow-Credentails
with Access-Control-Allow-Origin
set to *
.
您必须指定访问控制允许来源
,或者设置接入控制允许Credentails确切域
到假
。
You must specify the exact domain(s) in Access-Control-Allow-Origin
, OR set Access-Control-Allow-Credentails
to false
.
这篇关于定制CORS政策不工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!