[英]Cross-Origin Request Blocked: CORS header 'Access-Control-Allow-Origin' missing
使用Identity Server 3我正在尝试根据文档配置CORS。 当我执行GET请求时,我可以看到Fiddler中捕获的响应是正确的并且缺少Access-Control-Allow-Origin标头。
这是用于设置IdentityServerOptions的代码:
public void Configuration(IAppBuilder app)
{
var factory = InMemoryFactory.Create(
clients: Clients.Get(),
scopes: Scopes.Get());
var viewOptions = new DefaultViewServiceOptions();
viewOptions.Stylesheets.Add("/Content/site.css");
viewOptions.Scripts.Add("/Content/logon.js");
viewOptions.CacheViews = false;
factory.ConfigureDefaultViewService(viewOptions);
// This is where the CORS policy service is configured.
var corsPolicyService = new DefaultCorsPolicyService();
corsPolicyService.AllowAll = true;
factory.CorsPolicyService = new Registration<ICorsPolicyService>(corsPolicyService);
var userService = new LocalRegistrationUserService();
factory.UserService = new Registration<IUserService>(resolver => userService);
var options = new IdentityServerOptions
{
SiteName = "IdentityServer",
SigningCertificate = this.certificateProvider.Certificate,
Factory = factory,
RequireSsl = true,
// This is deprecated, but should still work according to the documentation.
// However using or not using it makes no change.
// CorsPolicy = CorsPolicy.AllowAll,
ProtocolLogoutUrls = logoutUrls,
AuthenticationOptions = new AuthenticationOptions()
{
EnableSignOutPrompt = false,
EnablePostSignOutAutoRedirect = true,
PostSignOutAutoRedirectDelay = 5,
},
};
app.Map("/core", idsrvApp =>
{
idsrvApp.UseIdentityServer(options);
});
}
如果然后我从其他站点执行简单的GET请求,这是我得到的响应:
HTTP/1.1 302 Found
Content-Length: 0
Location: https://federation.example.com/core/login?signin=2ce0b4f...71313af
Server: Microsoft-IIS/8.5
Set-Cookie: SignInMessage.2ce0b4f...A1D5NkPJQ; path=/core; secure; HttpOnly
X-Powered-By: ASP.NET
Date: Mon, 13 Jul 2015 12:00:00 GMT
为什么不应用Access-Control-Allow-Origin标头?
似乎在Identity Server 3中正确设置了CORS策略服务,但是所请求的路径显然无法通过其他服务器使用。
由日志表中的错误标识的请求路径是:
发出的CORS请求路径:/ connect / authorize from origin:空,但由于无效的CORS路径而被拒绝
我认为这是一种额外的安全措施,可防止恶意系统未经用户同意而登录用户。
因此,唯一可以调用此受保护路径的系统将在工厂的Client.RedirectUris (用于隐式流)中定义。
Web API 2 C#中出现跨源错误-原因:缺少CORS标头'Access-Control-Allow-Origin'
[英]cross origin error in web api 2 c# - Reason: CORS header 'Access-Control-Allow-Origin' missing
被CORS策略阻止:“ Access-Control-Allow-Origin”标头包含多个值“ *,*”,但仅允许一个
[英]been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed
CORS 策略已阻止从原点 '' 在 '' 访问 XMLHttpRequest:没有 'Access-Control-Allow-Origin' header 存在于请求的
[英]Access to XMLHttpRequest at '' from origin '' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested
CORS所请求的资源上没有“ Access-Control-Allow-Origin”标头
[英]CORS No 'Access-Control-Allow-Origin' header is present on the requested resource
ServiceStack,CORS和OPTIONS(无Access-Control-Allow-Origin标头)
[英]ServiceStack, CORS, and OPTIONS (No Access-Control-Allow-Origin header)
CORS - 没有'Access-Control-Allow-Origin' header 存在于请求的资源上
[英]CORS - No 'Access-Control-Allow-Origin' header is present on the requested resource
Web API 2 CORS不存在“ Access-Control-Allow-Origin”标头
[英]web api 2 CORS No 'Access-Control-Allow-Origin' header is present
CORS asp.net 核心 webapi - 缺少 Access-Control-Allow-Origin 标头
[英]CORS asp.net core webapi - missing Access-Control-Allow-Origin header
CORS 策略已阻止从 *** 从源 *** 获取访问权限:无“访问控制允许源”
[英]Access to fetch at *** from origin *** has been blocked by CORS policy: No 'Access-Control-Allow-Origin'
WebApi CORs - 请求错误时出现Access-Control-Allow-Origin标头
[英]WebApi CORs - Access-Control-Allow-Origin header is present on request error
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.