[英]Access-Control-Allow-Methods doesn't seem to be working
I have a small Web API app up on a web server, with one GET method that returns 3 records, and a POST method that accepts an object and then assigns it an ID and returns the same object. 我在Web服务器上有一个小的Web API应用程序,一个GET方法返回3个记录,一个POST方法接受一个对象,然后为它分配一个ID并返回相同的对象。
I'm making ajax calls from a local web app, and testing out my CORS implementation. 我正在从本地Web应用程序进行ajax调用,并测试我的CORS实现。 Almost everything so far, is working well. 到目前为止,几乎所有事情都运作良好。 If I don't specify an Access-Control-Allow-Origin (just set to *
for now), my calls are disallowed (what I expect), but I also tried specifying Access-Control-Allow-Methods and it doesn't seem like my input restricts specific calls from being made. 如果我没有指定一个Access-Control-Allow-Origin(现在只设置为*
),我的调用是不允许的(我期望的),但我也尝试指定Access-Control-Allow-Methods而它没有好像我的输入限制了特定的调用。
For example, this is what my web.config contains: 例如,这是我的web.config包含的内容:
<httpProtocol>
<customHeaders>
<clear />
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type, Authorization, Accept, X-Requested-With " />
<add name="Access-Control-Allow-Methods" value="OPTIONS, GET" />
</customHeaders>
</httpProtocol>
I only have OPTIONS
and GET
listed, but I am still able to make POST requests. 我只列出了OPTIONS
和GET
,但我仍然可以发出POST请求。 Likewise, if I set it it "OPTIONS, POST"
I am still able to make GET requests. 同样,如果我将其设置为"OPTIONS, POST"
我仍然能够发出GET请求。
EDIT 编辑
Based on the answer from @geekonaut below I was able to see this function as I'd expect. 基于@geekonaut下面的答案,我能够看到这个功能,正如我所期待的那样。 I attempted to try a PUT
request, rather than GET
or POST
, but then I got an error that the OPTIONS
(preflight) request wasn't allowed. 我试图尝试PUT
请求,而不是GET
或POST
,但后来我得到一个错误,即不允许OPTIONS
(预检)请求。 I first needed to add a section in my Global.asax.cs
file to accept that method, then if I toggled adding/removing PUT
in my web.config's Access-Control-Allow-Methods
value, I saw that it would only allow that method if it was listed. 我首先需要在我的Global.asax.cs
文件中添加一个部分来接受该方法,然后如果我在我的web.config的Access-Control-Allow-Methods
值中切换添加/删除PUT
,我看到它只会允许方法,如果它被列出。
protected void Application_OnBeginRequest()
{
if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
{
HttpContext.Current.Response.StatusCode = 200;
HttpContext.Current.Response.End();
}
}
CORS does not prevent a simple (or even preflighted) POST
request based on its method. CORS不会阻止基于其方法的简单(甚至是预检) POST
请求。
The Access-Control-Allow-Methods
will only be effective for requests that could not have been made with a simple cross-origin form, for instance. 例如, Access-Control-Allow-Methods
仅对无法使用简单的跨源表单生成的请求有效。
That means: GET
and POST
can skip the Access-Control-Allow-Methods
as described in the spec : 这意味着: GET
和POST
可以跳过规范中描述的Access-Control-Allow-Methods
:
Simple cross-origin requests generated outside this specification (such as cross-origin form submissions using GET or POST or cross-origin GET requests resulting from script elements) typically include user credentials, so resources conforming to this specification must always be prepared to expect simple cross-origin requests with credentials. 在此规范之外生成的简单跨源请求(例如使用GET或POST的跨源表单提交或脚本元素产生的跨源GET请求)通常包括用户凭据,因此必须始终准备符合此规范的资源以期望简单具有凭据的跨源请求。
Because of this, resources for which simple requests have significance other than retrieval must protect themselves from Cross-Site Request Forgery (CSRF) by requiring the inclusion of an unguessable token in the explicitly provided content of the request. 因此,简单请求具有除检索之外的重要性的资源必须通过要求在明确提供的请求内容中包含不可取用的令牌来保护自己免受跨站请求伪造(CSRF)。
(emphasis mine) (强调我的)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.