我正在创建一个简单的ASP.NET后端,并且需要使CORS仅将我的网站(请求来自其)列入白名单,而其他任何来源都无法访问该网站。我已经完成了下图所示的工作(老实说,我尝试了其他所有方法,但均未成功),而我所获得的是,在发出任何请求(GET,PUT,POST ...)时,我始终不会遇到任何问题列入白名单的网站(这很好),但我也从其他来源获得了响应,而我在浏览器控制台上仅遇到了CORS通用错误(我重复一遍,在得到错误的同时我也得到了答案,我不想)。 我该怎么办?
预先感谢
Matteo
public class Startup
{
public Startup(IHostingEnvironment configuration)
{
Configuration = configuration;
}
public IHostingEnvironment Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("AllowMyOrigin",
builder => builder.WithOrigins("https://myclient"));
});
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
services.AddEntityFrameworkSqlite()
.AddDbContext<WebApiContext>(options => options.UseSqlite($"Data Source={Configuration.WebRootPath}/tutoriel.db"));
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
services.Configure<MvcOptions>(options =>
{
options.Filters.Add(new CorsAuthorizationFilterFactory("AllowMyOrigin"));
}); //Imposta il cors su tutto il progetto (resource: DZone)
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseCors("AllowMyOrigin");
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseCookiePolicy();
app.UseAuthentication();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
}
错误:
Object { headers: {…}, status: 0, statusText: "Unknown Error", url: "https://mysite", ok: false, name: "HttpErrorResponse", message: "Http failure response for https://mysite: 0 Unknown Error", error: error }
core.js:15724
警告:
跨源读取阻止(CORB)阻止了跨源响应 https://mysite,MIME类型为application / json。看到 https://www.chromestatus.com/feature/5629709824032768了解更多 详细信息。
网站授权错误
但Json结果显示
{"id":"w.paciaroni","luogo":"giappone","disponibilita":false}
答案 0 :(得分:0)
我重复一遍,在得到错误的同时我也得到了答案
这是预期的行为。 CORS是浏览器的安全功能。它旨在保护用户(而不是您的服务器)免受跨站点脚本攻击。
我不想要
然后,您必须在服务器上实现该功能。最简单的方法是编写一个中间件或一个ActionFilter来检查请求的Origin头。如果它与您允许的任何来源都不匹配,请返回错误响应(我建议错误状态为412 Precondition Failed)。
安全说明:攻击者可以轻易地欺骗Origin头,因此这只会 阻止最愚蠢的黑客访问您的网页。