Access-Control-Allow-Headers列表中不存在请求标头

时间:2014-11-27 10:15:11

标签: internet-explorer asp.net-web-api2

在我的API中,我有以下代码:

public class CustomOAuthProvider : OAuthAuthorizationServerProvider
{

    public override Task MatchEndpoint(OAuthMatchEndpointContext context)
    {
        if (context.OwinContext.Request.Method == "OPTIONS" && context.IsTokenEndpoint)
        {
            context.OwinContext.Response.Headers.Add("Access-Control-Allow-Methods", new[] { "POST" });
            context.OwinContext.Response.Headers.Add("Access-Control-Allow-Headers", 
                new[] { 
                    "access-control-allow-origin", 
                    "accept", 
                    "x-api-applicationid", 
                    "content-type", 
                    "authorization" 
                });
            context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
            context.OwinContext.Response.StatusCode = (int)HttpStatusCode.OK;

            context.RequestCompleted();

            return Task.FromResult<object>(null);
        }

        return base.MatchEndpoint(context);
    }

    // ... even more code, but not relevant

}

当我从Chrome连接到此API时,一切都很完美。当我从同一台计算机连接到同一个API,但只从另一个浏览器Internet Explorer 11连接时,我收到以下错误:

  

SEC7123:请求标头x-api-applicationid不存在于   Access-Control-Allow-Headers列表。

我调试了代码,我看到标题已添加到响应中。甚至IE显示标题:

IE11 response

IE期待什么?

更新

如果我从

更改标题的顺序 
new[] { 
    "access-control-allow-origin", 
    "accept", 
    "x-api-applicationid", 
    "content-type", 
    "authorization" 
}

为:

new[] { 
    "content-type",
    "accept",
    "access-control-allow-origin",
    "x-api-applicationid", 
    "authorization" 
}

错误消息更改为:

  

SEC7123:请求标头 access-control-allow-origin 中没有   Access-Control-Allow-Headers列表。

所以它总是在第三个标题上给出错误。

3 个答案:

答案 0 :(得分:4)

确保它不像AJAX中内容类型标题的拼写错误那么简单。我得到了一个带有application/x-www-form-urlencoded内容类型的OPTIONS预检,这不需要预检,但我有

content-type: application/x-www-form-urlencoded

而不是

application/x-www-form-urlencoded

作为我的contentType选项。

WRONG:

$.ajax({
    url: 'http://www.example.com/api/Account/Token',
    contentType: 'content-type: application/x-www-form-urlencoded',
    method: 'POST',
    data: {
        grant_type: "password",
        username: $('#username').val(),
        password: $('#password').val()
    },
});

RIGHT:

$.ajax({
    url: 'http://www.example.com/api/Account/Token',
    contentType: 'application/x-www-form-urlencoded',
    method: 'POST',
    data: {
        grant_type: "password",
        username: $('#username').val(),
        password: $('#password').val()
    },
});

答案 1 :(得分:2)

找到了一段代码here,它为我修好了。

//Startup.cs
public void ConfigureOAuth(IAppBuilder app)
{
    app.Use(async (context, next) =>
    {
        IOwinRequest req = context.Request;
        IOwinResponse res = context.Response;
        if (req.Path.StartsWithSegments(new PathString("/oauth2/token")))
        {
            var origin = req.Headers.Get("Origin");
            if (!string.IsNullOrEmpty(origin))
            {
                res.Headers.Set("Access-Control-Allow-Origin", origin);
            }
            if (req.Method == "OPTIONS")
            {
                res.StatusCode = 200;
                res.Headers.AppendCommaSeparatedValues("Access-Control-Allow-Methods", "GET", "POST");
                res.Headers.AppendCommaSeparatedValues("Access-Control-Allow-Headers", "authorization", "content-type", "x-api-applicationid", "access-control-allow-origin");
                return;
            }
        }
        await next();
    });

    // rest of owin Oauth config
}

我从自定义OAuth Provider.csp>中删除了MatchEndpoint方法

答案 2 :(得分:2)

无需删除MatchEndPoint

Access-Control-Allow-Headers

中添加逗号分隔值作为第一个数组元素,而不是添加数组元素

而不是

 context.OwinContext.Response.Headers.Add("Access-Control-Allow-Headers", 
                new[] { 
                    "access-control-allow-origin", 
                    "accept", 
                    "x-api-applicationid", 
                    "content-type", 
                    "authorization" 
                });

使用

context.OwinContext.Response.Headers.Add("Access-Control-Allow-Headers", 
    new[] { 
        "access-control-allow-origin,accept,x-api-applicationid,content-type,authorization" 
    });
相关问题
最新问题