Access-Control-Allow-Methods似乎不起作用
[英]Access-Control-Allow-Methods doesn't seem to be working
问题描述
I have a small Web API app up on a web server, with one GET method that returns 3 records, and a POST method that accepts an object and then assigns it an ID and returns the same object. 
我在Web服务器上有一个小的Web API应用程序,一个GET方法返回3个记录,一个POST方法接受一个对象,然后为它分配一个ID并返回相同的对象。
I'm making ajax calls from a local web app, and testing out my CORS implementation. 我正在从本地Web应用程序进行ajax调用,并测试我的CORS实现。 Almost everything so far, is working well. 到目前为止,几乎所有事情都运作良好。 If I don't specify an Access-Control-Allow-Origin (just set to * for now), my calls are disallowed (what I expect), but I also tried specifying Access-Control-Allow-Methods and it doesn't seem like my input restricts specific calls from being made. 如果我没有指定一个Access-Control-Allow-Origin(现在只设置为* ),我的调用是不允许的(我期望的),但我也尝试指定Access-Control-Allow-Methods而它没有好像我的输入限制了特定的调用。
For example, this is what my web.config contains: 例如,这是我的web.config包含的内容:
<httpProtocol>
<customHeaders>
<clear />
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type, Authorization, Accept, X-Requested-With " />
<add name="Access-Control-Allow-Methods" value="OPTIONS, GET" />
</customHeaders>
</httpProtocol>
I only have OPTIONS and GET listed, but I am still able to make POST requests. 我只列出了OPTIONS和GET ,但我仍然可以发出POST请求。 Likewise, if I set it it "OPTIONS, POST" I am still able to make GET requests. 同样,如果我将其设置为"OPTIONS, POST"我仍然能够发出GET请求。
EDIT 编辑
Based on the answer from @geekonaut below I was able to see this function as I'd expect. 基于@geekonaut下面的答案,我能够看到这个功能,正如我所期待的那样。 I attempted to try a PUT request, rather than GET or POST , but then I got an error that the OPTIONS (preflight) request wasn't allowed. 我试图尝试PUT请求,而不是GET或POST ,但后来我得到一个错误,即不允许OPTIONS (预检)请求。 I first needed to add a section in my Global.asax.cs file to accept that method, then if I toggled adding/removing PUT in my web.config's Access-Control-Allow-Methods value, I saw that it would only allow that method if it was listed. 我首先需要在我的Global.asax.cs文件中添加一个部分来接受该方法,然后如果我在我的web.config的Access-Control-Allow-Methods值中切换添加/删除PUT ,我看到它只会允许方法,如果它被列出。
protected void Application_OnBeginRequest()
{
if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
{
HttpContext.Current.Response.StatusCode = 200;
HttpContext.Current.Response.End();
}
}
1 个解决方案
解决方案1
3 已采纳 2017-03-17 11:25:25
CORS does not prevent a simple (or even preflighted) POST request based on its method. CORS不会阻止基于其方法的简单(甚至是预检) POST请求。
The Access-Control-Allow-Methods will only be effective for requests that could not have been made with a simple cross-origin form, for instance. 例如, Access-Control-Allow-Methods仅对无法使用简单的跨源表单生成的请求有效。
That means: GET and POST can skip the Access-Control-Allow-Methods as described in the spec : 这意味着: GET和POST可以跳过规范中描述的Access-Control-Allow-Methods :
Simple cross-origin requests generated outside this specification (such as cross-origin form submissions using GET or POST or cross-origin GET requests resulting from script elements) typically include user credentials, so resources conforming to this specification must always be prepared to expect simple cross-origin requests with credentials.
Because of this, resources for which simple requests have significance other than retrieval must protect themselves from Cross-Site Request Forgery (CSRF) by requiring the inclusion of an unguessable token in the explicitly provided content of the request.
(emphasis mine) (强调我的)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.