1. 技术文章
  2. Azure website Rest Api only accept GET, POST returns 403. Possibly CORS

Azure website Rest Api only accept GET, POST returns 403. Possibly CORS

人走茶凉 提交于 2019-12-24 00:54:45

问题


I am encounter a strange problem. I have a Asp.net Core WebApi project running under Azure App Service (Website). I am using DHC plug-in in Chrome. My service is also running with AAD.

I can request a GET method just fine (After login). However, when I request any POST, I got a 403 response. Looking around in the log, I can see this

2016-07-28T08:14:26 PID[x] Verbose Received request: POST https://blahblah.azurewebsites.net/api/build/beep/

2016-07-28T08:14:26 PID[x] Verbose Found 'AppServiceAuthSession' cookie for site 'blah.azurewebsites.net'. Length: 856.

2016-07-28T08:14:26 PID[x] Information Sending response: 403.60 Forbidden

2016-07-28T08:14:26 PID[x] Warning Cross-site request forgery detected for user 'blah@blahblah.com' from referer ''!

I am using Asp.net Core 1.0. I have CORS enable in my code (AllOrigin AllHeader), as well as the CORS in Azure website has an entry for '*', which supposed to accept every origin. The log stream seems like it does not even hit my website, but something in Azure blocks the request.

Any help?

Edit: A successful GET method

2016-07-28T20:24:35 PID[22880] Verbose Received request: GET https://blah.azurewebsites.net/api/build/beep/

2016-07-28T20:24:35 PID[22880] Verbose Found 'AppServiceAuthSession' cookie for site 'blah.azurewebsites.net'. Length: 876.

2016-07-28T20:24:36 PID[22880] Verbose Authenticated blah@blah.com successfully using 'Session Cookie' authentication.


回答1:


Looks like your JavaScript client is being blocked by the Authentication / Authorization module's CSRF protection, which currently doesn't know about the CORS configuration (it probably should - I'll look into this).

The simplest way to work around this is to add a custom User-Agent HTTP header in your client settings. One of the things our built-in CSRF protection looks for is whether the client is a browser. Pretty much all major browsers use "Mozilla/..." as the user-agent string. Change this to something else to make it clear that you're not a browser and your POST request will go through successfully.




回答2:


In my case I had to remove:

Origin: https://....

changing User-Agent didn't work



来源:https://stackoverflow.com/questions/38630765/azure-website-rest-api-only-accept-get-post-returns-403-possibly-cors

标签
azure
cors
azure-web-sites
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!