ASP. NET WebAPI2 Complex Request Cross Domain Setting Method Introduction

The cross-domain setting of ASP. Net Core is relatively simple. The official integration is specific. See Microsoft official documents:

https://docs.microsoft.com/zh-cn/aspnet/core/security/cors?view=aspnetcore-3.1#ecors

Cross-domain condition

Cross-domain refers to the http requests initiated by the current resource when accessing other resources. Due to security reasons (as long as there is one different source in the homologous policy, domain name, protocol and port), the browser restricts the normal access of these requests. It is especially important to note that these requests occur in the browser.

Solution

Method 1. Add the following configuration under the system. webServer node in the web. config file:

<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Methods" value="OPTIONS,POST,GET"/>
<add name="Access-Control-Allow-Headers" value="x-requested-with,content-type"/>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
</system.webServer>

Method 2. The Nuget package references Microsoft. AspNet. Cors and then adds features to the controller
[EnableCors(origins: "*", headers: "*", methods: "*")]

Pay attention to the above two methods. Do not set them repeatedly. If you set them twice, you will report an error of 'Access-Control-Allow-Origin' header contains multiple values '*, *'.

Complex request problem

The above two methods are only effective for simple cross-domain requests, and cannot handle complex cross-domain requests.

Simple request: The request method is GET/HEAD/POST, and contentType is text/plain, application/x-www-form-urlencoded, multipart/form-data.

Those that do not meet the above conditions are considered as complex requests, which we often trigger in development mostly because the contentType of our request is set to application/json.

Note: Simple requests, if Authentication authentication is set, header will also "upgrade" the request to a complex request.

Complex requests will add one HTTP query request before formal communication, which is called "pre-check" request (preflight). The browser first asks the server if the domain name of the current web page is in the server's license list, and which HTTP verbs and header information fields can be used. Only when you get a positive reply will the browser issue a formal XMLHttpRequest request, otherwise it will report an error, and this time the Http method of preflight is Options. In other words, if you send an Options request before sending an xhr request, it means that the request you want to execute is a complex request.

Complex request processing

In the Global. asax file, it is processed by the Application_BeginRequest method:

protected override void Application_BeginRequest(object sender, EventArgs e)
{
// Set all cross-domain accessibility directly 
Response.Headers.Add("Access-Control-Allow-Origin", " * ") ;
if (Request.Headers.AllKeys.Contains("Origin") && Request.HttpMethod == "OPTIONS")// Interception processing Options Request 
{
Response.Headers.Add("Access-Control-Allow-Headers", "*");
Response.Headers.Add("Access-Control-Allow-Methods", "*");
Response.Flush();
Response.End();
}
base.Application_BeginRequest(sender, e);
}

In this way, the Options cross-domain request is answered with "cross-domain support", and then the formal request arrives at Action in the controller, and there is corresponding cross-domain access processing. Then cross-domain implementation is completed for the whole complex request.

Microsoft Official Reference: https://docs.microsoft.com/zh-cn/aspnet/web-api/overview/security/cross-origin-requests-in-web-api

Summarize