WebAPI Ajax cross-domain request resolution (Cors implementation)

Overview

The ASP. NET Web API is easy to use and knows that without a complex configuration file, a simple Apicontroller plus action is required to work.

However, when using the API will always encounter cross-domain requests, especially the various applications of the day, the API cross-domain requests can not be avoided.

By default, in order to prevent CSRF cross-site forgery attacks (or JavaScript's same-origin policy), a Web page receives restrictions when it obtains data from another domain.

There are ways to break this limit, which is well known JSONP, which is only one of many solutions, because JSONP only supports GET requests, today's complex business is not enough to meet the requirements.

and the CORS (cross Origin Resource sharing Https://www.w3.org/wiki/CORS) is a new header specification that allows server-side relaxation of cross-domain resource sharing, You can toggle the limit or not restrict cross-domain requests based on the header. It is important that it supports all HTTP request methods.

Problem

XMLHttpRequest a cross-domain post or GET request, the request will automatically become an options issue.

Due to the existence of the cors (cross Origin resource share) specification, the browser will first send an options sniff, and the header takes origin to determine if there is a request permission across domains, and the server responds to access control allow Origin value, which is used by the browser to match origin, and if the match formally sends a POST request, even if the server allows the program to cross-domain access, the request will also die if the options request is not supported.

Reason

Browser for security purposes, the transparent server validation mechanism that preflighted request enables developers to use custom headers, get or post methods, and different types of topic content, which means that an options request is sent first. Ask the server if it will (allow) the request correctly, and ensure that the request is sent securely.

Where OPTIONS are present, it is generally:

1, non-GET, POST request

2. The content-type of the POST request is not a regular three: application/x-www-form-urlencoded (Form submitted using the Post method of HTTP), Multipart/form-data (Ibid., But mainly used when the form submits with the file upload, Text/plain (plain text)

3, the payload of the POST request is text/html

4. Set the custom header

The options request header will contain the following headers: Origin, Access-control-request-method, Access-control-request-headers, after sending this request, The server can set the following header to communicate with the browser to determine whether to allow this request.

Access-control-allow-origin, Access-control-allow-method, access-control-allow-headers

Workaround

This method is powerful to address complex cross-domain requests for ASP. Complex header information, body content, and authorization verification information

Method One

1  Public classCroshandler:delegatinghandler2 3 {4 5     Private Const stringOrigin ="Origin";6 7     Private Const stringAccesscontrolrequestmethod ="Access-control-request-method";8 9     Private Const stringAccesscontrolrequestheaders ="access-control-request-headers";Ten  One     Private Const stringAccesscontrolalloworign ="Access-control-allow-origin"; A  -     Private Const stringAccesscontrolallowmethods ="Access-control-allow-methods"; -  the     Private Const stringAccesscontrolallowheaders ="access-control-allow-headers"; -  -     Private Const stringAccesscontrolallowcredentials ="access-control-allow-credentials"; -  +     protected OverrideTaskSendAsync (httprequestmessage request, CancellationToken CancellationToken) -  +     { A  at         BOOLIscrosrequest =request. Headers.contains (Origin); -  -         BOOLIsprefilightrequest = Request. Method = =httpmethod.options; -  -         if(iscrosrequest) -  in         { -  toTaskNULL; +  -             if(isprefilightrequest) the  *             { $ Panax NotoginsengTaskresult = task.factory.startnew -  the                 { +  AHttpresponsemessage response =Newhttpresponsemessage (System.Net.HttpStatusCode.OK); the  + Response. Headers.add (Accesscontrolalloworign, -  $ request. Headers.getvalues (Origin). FirstOrDefault ()); $  -                     stringMETHOD =request. Headers.getvalues (Accesscontrolrequestmethod). FirstOrDefault (); -  the                     if(Method! =NULL) - Wuyi                     { the  - Response. Headers.add (Accesscontrolallowmethods, method); Wu  -                     } About  $                     stringheaders =string. Join (", ", request. Headers.getvalues (Accesscontrolrequestheaders)); -  -                     if(!string. Isnullorwhitespace (headers)) -  A                     { +  the Response. Headers.add (Accesscontrolallowheaders, Headers); -  $                     } the  theResponse. Headers.add (Accesscontrolallowcredentials,"true"); the  the                     returnresponse; -  in }, CancellationToken); the  the             } About  the             Else the  the             { +  -Taskresult =Base. SendAsync (Request, CancellationToken). Continuewith the Bayi                 { the  the                     varResponse =T.result; -  - Response. Headers.add (Accesscontrolalloworign, the  the request. Headers.getvalues (Origin). FirstOrDefault ()); the  theResponse. Headers.add (Accesscontrolallowcredentials,"true"); -  the                     returnresponse; the  the                 });94  the             } the  the             returnTaskresult;98  About         } - 101         return Base. SendAsync (Request, cancellationtoken);102 103     }104  the}

How to use the Global.asax file to add

1 protected voidApplication_Start ()2 3 {4 5 Iocconfig.registerall ();6 7 Arearegistration.registerallareas ();8 9 Webapiconfig.register (globalconfiguration.configuration);Ten  One filterconfig.registerglobalfilters (globalfilters.filters); A  - routeconfig.registerroutes (routetable.routes); -  the bundleconfig.registerbundles (bundletable.bundles); -  -GLOBALCONFIGURATION.CONFIGURATION.MESSAGEHANDLERS.ADD (NewCroshandler ()); -  +}

Method Two

The configuration file adds the following configuration, which is simple and should be used for simple cross-domain requests

<system.webServer> "Access-control-allow-origin"Value="*"/> <add name="access-control-allow-headers"Value="Content-type"/> <add name="Access-control-allow-methods"Value="GET, Post,options"/> </customHeaders> 
original : Jane Xuan Ice . com/jianxuanbing/p/7324929.html
Reference:https://code.msdn.microsoft.com/windowsdesktop/Implementing-CORS-support-a677ab5d#content
WebAPI Ajax cross-domain request resolution (Cors implementation)