【问题标题】:Why isn't ServiceStack adding the Access-Control-Allow-Origin header to the GET request?为什么 ServiceStack 不将 Access-Control-Allow-Origin 标头添加到 GET 请求中?
【发布时间】:2014-12-21 08:37:24
【问题描述】:

我将 ServiceStack 配置为启用 CORS:

Plugins.Add( new CorsFeature(
    allowOriginWhitelist: new List<string>() { "http://localhost", "http://localhost:8080" },
    allowCredentials: true,
    allowedHeaders: "Content-Type, Allow, Authorization"
) );

PreRequestFilters.Add( ( request, response ) =>
{
    if( request.Verb == "OPTIONS" )
    {
        response.EndRequest();
    }
} );

OPTIONS 请求和响应看起来很棒,并且以 http://localhost:8080 为源成功。但是,随后的 GET 失败,因为根据 Chrome 的说法,它缺少 Access-Control-Allow-Origin 标头。

这是错误:

请求的资源上不存在“Access-Control-Allow-Origin”标头。 Origin http://localhost:8080 因此不允许访问。

这是请求:

GET /app/api/operations/metadata HTTP/1.1
Host: dummy.domain.net
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Content-Type: application/json; charset=utf-8
Referer: http://localhost:8080/dev.html
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

下面是回复:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Vary: Accept
Server: Microsoft-IIS/7.5
X-Powered-By: ServiceStack/4.034 Win32NT/.NET
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Allow, Authorization
Access-Control-Allow-Credentials: true
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 20 Dec 2014 17:22:38 GMT
Content-Length: 38203

注意缺少的 Access-Control-Allow-Origin 标头。

【问题讨论】:

    标签: servicestack cors


    【解决方案1】:

    ServiceStack 的 CorsFeature already handles OPTIONS requests,因此您需要删除它,这样它就不会使请求短路。

    //Should be removed
    PreRequestFilters.Add((request,response) => {
        if (request.Verb == "OPTIONS" )
        {
            response.EndRequest();
        }
    });
    

    WhiteList 添加到自定义 Http 处理程序

    我在 /operations/metadata in this commit 等自定义 Http 处理程序中添加了对源白名单的支持。这现在可以按预期工作,如 http://test.servicestack.net (source code) 中所示:

    HTTP 请求

    GET http://test.servicestack.net/operations/metadata HTTP/1.1
    Host: test.servicestack.net
    Connection: keep-alive
    Cache-Control: max-age=0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
    Accept-Encoding: gzip, deflate, sdch
    Accept-Language: en-US,en;q=0.8
    Origin: http://localhost:8080
    

    HTTP 响应

    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/html
    Vary: Accept
    Server: Microsoft-IIS/8.5
    Access-Control-Allow-Origin: http://localhost:8080
    X-Powered-By: ServiceStack/4.00 Win32NT/.NET
    Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
    Access-Control-Allow-Headers: Content-Type, Allow, Authorization
    Access-Control-Allow-Credentials: true
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Sun, 21 Dec 2014 00:30:39 GMT
    Content-Length: 17027
    

    此更改从 v4.0.35+ 可用,现在是 available on MyGet

    【讨论】:

    • 这并没有解决问题。如果我错了,请纠正我,但我认为简短的预过滤器只是跳过了整套 ServiceStack 处理,因为我们知道我们想要的只是标题,无论如何都会添加到这里。我的问题是 GET 请求; OPTIONS 请求运行良好。谢谢!
    • @Seth Right 它会停止所有进一步的处理,因此可能会干扰现有功能。我已更新答案以显示在 v4.0.35+ 中添加了此修复程序。
    • 感谢您提供此修复程序,但它仍然无法正常工作。对 GET 方法的响应需要具有 Access-Control-Allow-Origin 标头,其值是请求的 Origin 标头。
    • 测试服务指定了一个Origin Whitelist,因此需要提供一个匹配的Origin HTTP Header。
    • 谢谢@mythz,从 4.0.38 开始,它运行良好——就像你说的那样 :)
    猜你喜欢
    • 2021-04-19
    • 2023-01-13
    • 2017-12-16
    • 1970-01-01
    • 2016-07-03
    • 2019-03-08
    • 2016-08-03
    • 2012-09-19
    相关资源
    最近更新 更多