As a Web API, handle requests from different sources across domains, it is a very reasonable thing.
First on the existing articles, fast copy and paste, to enable CORS:
Microsoft: Enable cross-domain requests (CORS) ASP.NET Core in
ASP.NET Core cross-domain configuration (CORS)
If you follow the above article, the operation step by step, you will find that although they would cross-domain requests, but even if the client opened ( xhr.withCredentials = to true ) Cookie can not be sent to the API.
About AllowAnyOrigin
这是因为请求的首部中携带了 Cookie 信息,如果 Access-Control-Allow-Origin 的值为“*”,请求将会失败。而将 Access-Control-Allow-Origin 的值设置为 http://foo.example,则请求将成功执行。PS: While the API with Cookie is not very reasonable, but sometimes had to interface to upgrading old messing around, huh, huh.
why?
Look at the times it works:
Ruan Yifeng's blog: Cross-Origin Resource Sharing CORS Comments
In a detailed article to:
MDN: HTTP access control (CORS)
Learn more about:
Ziyun fly: SameSite Cookie, prevent CSRF attacks
Skip a simple request and preflight request aside (does not mean unimportant), we will find a call SameSite thing is that it tells the browser not to send Cookie, the default non-homologous to the Web API, ASP. NET Core Web API is enabled. So the configuration can be closed.
......
services.AddCors(options =>
{
options.AddPolicy("any", policyBuilder =>
{
policyBuilder.AllowAnyMethod()
.AllowAnyHeader()
//.WithMethods("GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "DEBUG");
.AllowCredentials();//指定处理cookie
var cfg = Configuration.GetSection("AllowedHosts").Get<List<string>>();
if (cfg == null || cfg.Contains("*")) policyBuilder.AllowAnyOrigin(); //允许任何来源的主机访问
else policyBuilder.WithOrigins(cfg.ToArray()); //允许类似http://localhost:8080等主机访问
});
});
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
.....
app.UseCors("any");
app.UseCookiePolicy();or
.....
services.AddCors(options =>
{
options.AddPolicy("any", policyBuilder =>
{
policyBuilder.AllowAnyMethod()
.AllowAnyHeader()
//.WithMethods("GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "DEBUG");
.AllowCredentials();//指定处理cookie
var cfg = Configuration.GetSection("AllowedHosts").Get<List<string>>();
if (cfg == null || cfg.Contains("*")) policyBuilder.AllowAnyOrigin(); //允许任何来源的主机访问
else policyBuilder.WithOrigins(cfg.ToArray()); //允许类似http://localhost:8080等主机访问
});
});
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(configureOptions =>
{
configureOptions.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
});
......
app.UseCors("any");
app.UseAuthentication();
reference
https://docs.microsoft.com/zh-cn/aspnet/core/security/cors
http://www.ruanyifeng.com/blog/2016/04/cors.html
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Access_control_CORS
https://www.cnblogs.com/ziyunfei/p/5637945.html
statement
This article uses Creative Commons Attribution - NonCommercial - ShareAlike 2.5 license agreement in China to license, issued in CSDN and garden blog , readers are welcome to reprint, but without the author's consent declared by this section must be retained, and in the apparent position of the article page gives the original connection! The reader / reptiles are respected版权