自定义的cors政策不起作用

时间:2015-03-30 12:12:30

标签: angularjs asp.net-web-api asp.net-web-api2 owin

我有一个自定义的cors策略,如下所示,我将support-credentials设置为false 

public class CorsProviderFactory : ICorsPolicyProviderFactory
{
    //https://msdn.microsoft.com/en-us/magazine/dn532203.aspx

    public ICorsPolicyProvider GetCorsPolicyProvider(
        HttpRequestMessage request)
    {
        return new CorsPolicyProviderCustom();
    }

    public class CorsPolicyProviderCustom : Attribute, ICorsPolicyProvider
    {
        private readonly CorsPolicy _policy;

        public CorsPolicyProviderCustom()
        {
            // Create a CORS policy.
            _policy = new CorsPolicy
            {
                AllowAnyMethod = true,
                AllowAnyHeader = true,
                AllowAnyOrigin = true,
                SupportsCredentials = false
            };

            // Magic line right here
            _policy.Origins.Add("*");
            _policy.Methods.Add("*");
        }

        public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        {
            return Task.FromResult(_policy);
        }
    }
}

并使用它:

    public static HttpConfiguration Register()
    {
        var config = new HttpConfiguration();
        config.SetCorsPolicyProviderFactory(new CorsProviderFactory());
        config.EnableCors();

       .................
 }

但即便如此,在邮递员的回应中,我看到,支持 - 凭证为真

enter image description here

如何将支持凭证作为false,断点确实到达自定义策略部分,那么为什么它不起作用:(

1 个答案:

答案 0 :(得分:1)

出于安全原因,Access-Control-Allow-Credentails设置为Access-Control-Allow-Origin时无法使用*

您必须在Access-Control-Allow-Origin中指定确切的域,或将Access-Control-Allow-Credentails设置为false

相关问题
最新问题