问题
i have a custom cors policy like below, where I am setting support-credentials to false
public class CorsProviderFactory : ICorsPolicyProviderFactory
{
//https://msdn.microsoft.com/en-us/magazine/dn532203.aspx
public ICorsPolicyProvider GetCorsPolicyProvider(
HttpRequestMessage request)
{
return new CorsPolicyProviderCustom();
}
public class CorsPolicyProviderCustom : Attribute, ICorsPolicyProvider
{
private readonly CorsPolicy _policy;
public CorsPolicyProviderCustom()
{
// Create a CORS policy.
_policy = new CorsPolicy
{
AllowAnyMethod = true,
AllowAnyHeader = true,
AllowAnyOrigin = true,
SupportsCredentials = false
};
// Magic line right here
_policy.Origins.Add("*");
_policy.Methods.Add("*");
}
public Task<CorsPolicy> GetCorsPolicyAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
return Task.FromResult(_policy);
}
}
}
and used it like :
public static HttpConfiguration Register()
{
var config = new HttpConfiguration();
config.SetCorsPolicyProviderFactory(new CorsProviderFactory());
config.EnableCors();
.................
}
but even then in the postman response i see, support-credentials as true
how can I get support-credentials as false, the breakpoint does reaches to the custom policy part, so why is it that its not working :(
回答1:
For security reasons you can not use Access-Control-Allow-Credentails with Access-Control-Allow-Origin set to *.
You must specify the exact domain(s) in Access-Control-Allow-Origin, OR set Access-Control-Allow-Credentails to false.
来源:https://stackoverflow.com/questions/29345935/custom-cors-policy-not-working