如何在不同的域上实现MVC前端和WebApi之间的防伪造令牌

1. 我想在www.example1.com上进行MVC项目
2. api.example2.com上的WebApi项目

我想限制对WebApi的访问。我已经尝试实现反伪造令牌：

当我使用防伪令牌创建到WebApi的GET请求时，我会得到一个异常，因为请求不包含此令牌。

在称为ValidateRequestHeader的方法中是变量cookie = null。

如何修复以下代码？这是正确的解决方案吗？

MVC项目（前端）-用于开发的是localhost:33635:

Index.cshtml

<div class="container">

    <div class="row">
        <div class="col-md-12">

            <input id="get-request-button" type="button" class="btn btn-info" value="Create request to API Server" />
            <br />
            <div id="result"></div>
        </div>

    </div>

</div>

@section scripts
{
    <script type="text/javascript">
        @functions{
            public string TokenHeaderValue()
            {
                string cookieToken, formToken;
                AntiForgery.GetTokens(null, out cookieToken, out formToken);
                return cookieToken + ":" + formToken;
            }
        }
        $(function () {
            $("#get-request-button").click(function () {
                $.ajax("http://localhost:33887/api/values", {
                    type: "GET",
                    contentType: "application/json",
                    data: {},
                    dataType: "json",
                    headers: {
                        'RequestVerificationToken': '@TokenHeaderValue()'
                    }
                }).done(function (data) {
                    $("#result").html(data);
                });
                return false;
            });
        });

    </script>
}

WebApi项目-用于开发是localhost:33887:

WebApiConfig.cs

public static void Register(HttpConfiguration config)
        {
            // Web API configuration and services
            config.EnableCors(new EnableCorsAttribute("http://localhost:33635", "*", "*"));
            // Web API routes
            config.MapHttpAttributeRoutes();
            config.Routes.MapHttpRoute(
                    name: "DefaultApi",
                    routeTemplate: "api/{controller}/{id}",
                    defaults: new { id = RouteParameter.Optional }
            );
        }

ValidateHttpAntiForgeryTokenAttribute.cs:

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class)]
    public sealed class ValidateHttpAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
    {
        public Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync(HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation)
        {
            var request = actionContext.Request;
            try
            {
                if (IsAjaxRequest(request))
                {
                    ValidateRequestHeader(request);
                }
                else
                {
                    AntiForgery.Validate();
                }
            }
            catch (Exception)
            {
                actionContext.Response = new HttpResponseMessage
                {
                    StatusCode = HttpStatusCode.Forbidden,
                    RequestMessage = actionContext.ControllerContext.Request
                };
                return FromResult(actionContext.Response);
            }
            return continuation();
        }
        private Task<HttpResponseMessage> FromResult(HttpResponseMessage result)
        {
            var source = new TaskCompletionSource<HttpResponseMessage>();
            source.SetResult(result);
            return source.Task;
        }
        private bool IsAjaxRequest(HttpRequestMessage request)
        {
            IEnumerable<string> xRequestedWithHeaders;
            if (!request.Headers.TryGetValues("X-Requested-With", out xRequestedWithHeaders)) return false;
            var headerValue = xRequestedWithHeaders.FirstOrDefault();
            return !String.IsNullOrEmpty(headerValue) && String.Equals(headerValue, "XMLHttpRequest", StringComparison.OrdinalIgnoreCase);
        }
        private void ValidateRequestHeader(HttpRequestMessage request)
        {
            var headers = request.Headers;
            var cookie = headers
                    .GetCookies()
                    .Select(c => c[AntiForgeryConfig.CookieName])
                    .FirstOrDefault();
            IEnumerable<string> xXsrfHeaders;
            if (headers.TryGetValues("RequestVerificationToken", out xXsrfHeaders))
            {
                var rvt = xXsrfHeaders.FirstOrDefault();
                if (cookie == null)
                {
                    throw new InvalidOperationException($"Missing {AntiForgeryConfig.CookieName} cookie");
                }
                AntiForgery.Validate(cookie.Value, rvt);
            }
            else
            {
                var headerBuilder = new StringBuilder();
                headerBuilder.AppendLine("Missing X-XSRF-Token HTTP header:");
                foreach (var header in headers)
                {
                    headerBuilder.AppendFormat("- [{0}] = {1}", header.Key, header.Value);
                    headerBuilder.AppendLine();
                }
                throw new InvalidOperationException(headerBuilder.ToString());
            }
        }
    }

值控制器：

public class ValuesController : ApiController
    {
        // GET: api/Values
        [ValidateHttpAntiForgeryToken]
        public IEnumerable<string> Get()
        {
            return new string[] { "value1", "value2" };
        }
        // GET: api/Values/5
        public string Get(int id)
        {
            return "value";
        }
        // POST: api/Values
        public void Post([FromBody]string value)
        {
        }
        // PUT: api/Values/5
        public void Put(int id, [FromBody]string value)
        {
        }
        // DELETE: api/Values/5
        public void Delete(int id)
        {
        }
    }