stackoom
  简体   繁体   中英

Access-Control-Allow-Methods doesn't seem to be working

 原文  2017-03-09 21:00:08       javascript/ jquery/ ajax/ cors/ asp.net-web-api2

Question

I have a small Web API app up on a web server, with one GET method that returns 3 records, and a POST method that accepts an object and then assigns it an ID and returns the same object.

I'm making ajax calls from a local web app, and testing out my CORS implementation. Almost everything so far, is working well. If I don't specify an Access-Control-Allow-Origin (just set to * for now), my calls are disallowed (what I expect), but I also tried specifying Access-Control-Allow-Methods and it doesn't seem like my input restricts specific calls from being made.

For example, this is what my web.config contains: 

<httpProtocol>
  <customHeaders>
    <clear />
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Headers" value="Content-Type, Authorization, Accept, X-Requested-With " />
    <add name="Access-Control-Allow-Methods" value="OPTIONS, GET" />
  </customHeaders>
</httpProtocol>

I only have OPTIONS and GET listed, but I am still able to make POST requests. Likewise, if I set it it "OPTIONS, POST" I am still able to make GET requests.

EDIT

Based on the answer from @geekonaut below I was able to see this function as I'd expect. I attempted to try a PUT request, rather than GET or POST , but then I got an error that the OPTIONS (preflight) request wasn't allowed. I first needed to add a section in my Global.asax.cs file to accept that method, then if I toggled adding/removing PUT in my web.config's Access-Control-Allow-Methods value, I saw that it would only allow that method if it was listed. 

protected void Application_OnBeginRequest()
{
    if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
    {
        HttpContext.Current.Response.StatusCode = 200;
        HttpContext.Current.Response.End();
    }
}

1 answers

solution1
 3 ACCPTED  2017-03-17 11:25:25

CORS does not prevent a simple (or even preflighted) POST request based on its method.

The Access-Control-Allow-Methods will only be effective for requests that could not have been made with a simple cross-origin form, for instance.

That means: GET and POST can skip the Access-Control-Allow-Methods as described in the spec :

Simple cross-origin requests generated outside this specification (such as cross-origin form submissions using GET or POST or cross-origin GET requests resulting from script elements) typically include user credentials, so resources conforming to this specification must always be prepared to expect simple cross-origin requests with credentials.

Because of this, resources for which simple requests have significance other than retrieval must protect themselves from Cross-Site Request Forgery (CSRF) by requiring the inclusion of an unguessable token in the explicitly provided content of the request.

(emphasis mine)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Access-Control-Allow-Methods DELETE is not allowed by Access-Control-Allow-Methods How to use Access-Control-Allow-Methods in header Access-Control-Allow-Methods and Microsoft Edge, works with Firefox and Chrome Method PATCH is not allowed by Access-Control-Allow-Methods in preflight response Ionic v2 + CORS Preflight Access-Control-Allow-Methods Cors request method PUT is not allowed by Access-Control-Allow-Methods Serverless CORS Error: Did not find method in CORS header ‘Access-Control-Allow-Methods' XMLHttpRequest cannot load url. Method PUT is not allowed by Access-Control-Allow-Methods in preflight response OPTIONS 405 (Method Not Allowed) regardless server sends Access-Control-Allow-Methods:OPTIONS, GET, HEAD, POST
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM