1.NET Core Web API cross-domain issues

Official notes

• CORS means Cross-origin Resource sharing.
  
• Refer "Same Origin" part
  
• Detailed Procedure

Concrete Practice

• Need to introduce Microsoft.AspNetCore.Mvc.Cors package
• cors Configuration
• • Startup.cs file Configureservices method, place the Cors service in the container
  • services. Addcors (options); Pass an options, specify the name and configure it, this time the cross-domain does not work. The
  • options can specify origin, Header, method, which are configured as the fluent API.
  • Allowanyorigin () indicates that any source, request header, request method is allowed.
    • to configure Allowanyorigin () as an example, the response header will have access-control-allow-origin:*
  The
  • withorigins (string[] Origins) entry is the source, request header, and request method for the release.
    • to configure Allowanyorigin () as an example, the response header will have access-control-allow-origin:http://diagd.gridsumdissector.com
  • allowcredentials (), Response header will have access-control-allow-credentials:true
• cors is in effect (one of three, the first recommended)
• • Startup.cs file config method, which gives global plus allow cross-domain, the resources allowed in all configurations (most of which are the interfaces in the controller) can be accessed across domains.
    • app. Usecors ("Corspolicy"); Here "Corspolicy" is a custom name, set in options. The
  • Startup.cs file Configureservices method, giving the global plus allow cross-domain, the effect is the same as above.
    • Services. Configure (options = options. Filters.add (New Corsauthorizationfilterfactory ("Corspolicy")); "Corspolicy" Ibid.
  • labels [enablecors ("Corspolicy")] on the specified controller or method, allowing these resources to be accessed across domains. "Corspolicy" on the ibid.
• Precautions
• • Because the front end usually sets Withcredential to True, the configuration must be allowcredentials ().
    • XMLHttpRequest The WITHCREDENTIALS flag is set to true, the cookie can be sent as requested. At this point, if the server-side response does not return a access-control-allow-credentials:true response header, then the browser will not pass the response result to the requesting script to ensure the security of the information.
  • Access-control-allow-origin This is not allowed to use wildcards, that is, you must specify the allowed domain, with the withorigins (string[] Origins) method, Origins recommended in the Appsettings.json file configuration.
    • If a target domain is set to allow cross-domain requests from any domain, and the request is with a cookie, the request is illegal and the browser masks the returned results. (That is, if you need to implement a cross-domain request with a cookie, you need to explicitly configure the domain to allow the source, and using any domain configuration is not legal.) This is the last line of defense for the Cors model. Without this restriction, JavaScript can get CSRF tokens in the returned data, as well as various sensitive data. This restriction greatly reduces the risk of cors.
  • When configuring Origins in Appsettings.json, be sure to specify scheme, domain, subdomain, port, and never add backslashes at the end. "http://localhost:6395"

1.NET Core Web API cross-domain issues