我在Heroku中部署了一个.NET6最小api,它返回以下CORS错误:
在"…"访问XMLHttpRequest来自原点"…"已被CORS策略阻止:请求的资源上不存在"Access Control Allow Origin"标头。
但当我在本地运行应用程序时,相同的配置不会返回任何错误。
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
builder.Services.AddCors(options =>
{
options.AddPolicy("MyAllowedOrigins",
policy =>
{
policy
.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader();
});
});
var app = builder.Build();
app.UseSwagger();
app.UseSwaggerUI();
app.UseHttpsRedirection();
app.UseCors("MyAllowedOrigins");
app.MapPost("/upload-file", async ([FromServices] IWordService service, HttpRequest request) =>...
您可能必须启用具有端点路由的Cors。请参阅此文档:https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-6.0#使用端点路由启用cors
检查中间件订单:https://learn.microsoft.com/en-us/aspnet/core/fundamentals/middleware/?view=aspnetcore-6.0#中间件订单
警告:您不应该这样做。这不是一种安全的方式。只有在你不在乎的时候才去做。
以下是用于Minimal API的中间件。它通过给他想要的东西有效地绕过了CORS:
//f**k you CORS
app.Use(async (context, next) =>
{
if (context.Request.Method == "OPTIONS")
{
context.Response.StatusCode = 200;
await WriteCorsAsync(context);
await context.Response.WriteAsync("");
}
else
{
context.Response.OnStarting(WriteCorsAsync, context);
await next(context);
}
static Task WriteCorsAsync(object state)
{
var context = (HttpContext)state;
context.Response.Headers.Add("Access-Control-Allow-Origin", context.Request.Headers.Origin);
context.Response.Headers.Add("Access-Control-Allow-Credentials", "true");
context.Response.Headers.Add("Access-Control-Allow-Methods", string.Join(", ", new[] { context.Request.Method }.Union(context.Request.Headers.AccessControlRequestMethod.Select(v => v))));
context.Response.Headers.Add("Access-Control-Allow-Headers", string.Join(", ", context.Request.Headers.Select(p => p.Key).Union(context.Request.Headers.AccessControlRequestHeaders.Select(v => v))));
return Task.CompletedTask;
}
});