CORS全稱Cross-Origin Resource Sharing,中文全稱跨域資源共享。它解決跨域問題的原理是通過向http的請求報文和響應報文里面加入相應的標識告訴瀏覽器它能訪問哪些域名的請求
在WebApiCORS項目上面使用Nuget搜索“microsoft.aspnet.webapi.cors”
然后在App_Start文件夾下面的WebApiConfig.cs文件夾配置跨域
public static class WebApiConfig { public static void Register(HttpConfiguration config) { //跨域配置 config.EnableCors(new EnableCorsAttribute("*", "*", "*")); // Web API 路由 config.MapHttpAttributeRoutes(); config.Routes.MapHttpRoute( name: "DefaultApi", routeTemplate: "api/{controller}/{action}/{id}", defaults: new { id = RouteParameter.Optional } ); } }
調用處指定 jQuery.support.cors = true; 這一句就能解決IE8、9對CORS的支持問題
,這種*號是不安全的。因為它表示只要別人知道了你的請求url,任何請求都可以訪問到你的資源。這是相當危險的。所以需要我們做一些配置,限制訪問權限。比如我們比較常見的做法如下:
配置方法一:
到web.config配置文件中
<add key="cors_allowOrigins" value="*"/> <add key="cors_allowHeaders" value="*"/> <add key="cors_allowMethods" value="*"/>
var allowOrigins = ConfigurationManager.AppSettings["cors_allowOrigins"]; var allowHeaders = ConfigurationManager.AppSettings["cors_allowHeaders"]; var allowMethods = ConfigurationManager.AppSettings["cors_allowMethods"]; var globalCors = new EnableCorsAttribute(allowOrigins, allowHeaders, allowMethods); config.EnableCors(globalCors);
配置方法二:
[EnableCors(origins: "http://localhost:8081/", headers: "*", methods: "GET,POST,PUT,DELETE")] public class ChargingController : ApiController { /// <summary> /// 得到所有數據 /// </summary> /// <returns>返回數據</returns> [HttpGet] public string GetAllChargingData() { return "Success"; } }
參考:http://www.cnblogs.com/landeanfen/p/5177176.html
http://www.cnblogs.com/shy1766IT/p/5215311.html
.net framework4.0通過方法實現
public class CrosHandler : DelegatingHandler { private const string _origin = "Origin"; private const string _accessControlRequestMethod = "Access-Control-Request-Method"; private const string _accessControlRequestHeaders = "Access-Control-Request-Headers"; private const string _accessControlAllowOrigin = "Access-Control-Allow-Origin"; private const string _accessControlAllowMethods = "Access-Control-Allow-Methods"; private const string _accessControlAllowHeaders = "Access-Control-Allow-Headers"; protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) { bool isCrosRequest = request.Headers.Contains(_origin); bool isPreflightRequest = request.Method == HttpMethod.Options; if (isCrosRequest) { Task<HttpResponseMessage> taskResult = null; if (isPreflightRequest) { taskResult = Task.Factory.StartNew<HttpResponseMessage>(() => { HttpResponseMessage response = new HttpResponseMessage(System.Net.HttpStatusCode.OK); response.Headers.Add(_accessControlAllowOrigin, request.Headers.GetValues(_origin).FirstOrDefault()); string method = request.Headers.GetValues(_accessControlRequestMethod).FirstOrDefault(); if (method != null) { response.Headers.Add(_accessControlAllowMethods, method); } string headers = string.Join(", ", request.Headers.GetValues(_accessControlRequestHeaders)); if (!string.IsNullOrEmpty(headers)) { response.Headers.Add(_accessControlAllowHeaders, headers); } return response; }, cancellationToken); } else { taskResult = base.SendAsync(request, cancellationToken) .ContinueWith<HttpResponseMessage>(t => { var response = t.Result; response.Headers.Add(_accessControlAllowOrigin, request.Headers.GetValues(_origin).FirstOrDefault()); return response; }); } return taskResult; //return base.SendAsync(request, cancellationToken); } else { return base.SendAsync(request, cancellationToken); } } }
protected void Application_Start() { IOCConfig.RegisterAll(); AreaRegistration.RegisterAllAreas(); WebApiConfig.Register(GlobalConfiguration.Configuration); FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters); RouteConfig.RegisterRoutes(RouteTable.Routes); BundleConfig.RegisterBundles(BundleTable.Bundles); GlobalConfiguration.Configuration.MessageHandlers.Add(new CrosHandler()); }
原文:http://www.cnblogs.com/niuww/p/5569504.html