Shulou(Shulou.com)06/01 Report--

How to achieve. Net Core Cors middleware analysis, I believe that many inexperienced people are helpless about this, this article summarizes the causes and solutions of the problem, through this article I hope you can solve this problem.

Homology policy and resource sharing across domains 1. Homology policy

Homology policy is a famous security policy proposed by Netscape. All browsers that support JavaScript now use this policy. The so-called homology refers to the same domain name, protocol and port.

1.1 Purpose

It is mainly to ensure the security of user information and prevent websites from stealing user data. If there is no homology strategy, the following situation may occur. When a user visits two websites A/B and logs in to website A, website A will store cookies or tokens locally on the computer. When visiting website B, website B can access these locally stored information. Website B can use the user's cookies to log in to website A, so that user information is leaked.

1.2 Limited scope

Cookies, LocalStorage and indexDB are not accessible (cookies can only be shared with pages of the same origin)

DOM cannot be obtained (only when the addresses of parent window and child window are homologous can information of child window be obtained)

AJAX requests cannot be sent (AJAX requests can only be sent to URLs of the same origin)

Remember, these restrictions are browser restrictions.

2. Cross-domain resource sharing

Cross-domain resource sharing is the opposite of the same-origin strategy. During the entire cross-domain communication process, the browser will automatically identify whether the request is cross-domain, and once it is found to be cross-domain, it will automatically add request header information (such as Origin) or automatically send a pre-request with a request mode of option. Browsers classify CORS requests into two categories: simple requests and non-simple requests.

2.1 Simple request.

When the browser request method is Head, Get or Post, and the HTTP header information does not exceed the following fields:

Accept

Accept-Language

Content-Language

Origin

If so, the browser defines the request as simple, otherwise it is non-simple. When the browser determines that it is a simple request, the browser will automatically add an Origin field to the header of the request message to indicate the address (protocol + domain name + port) from which the request comes. The server then needs to determine whether to accept the request from this source. If Access-Control-Allow-Origin is required in the header returned by the server side, its value is the value of the Origin field at the time of the request or *(indicating that the request from any source is accepted). Access-Control-Allow-Methods also appears in the request header to indicate how the server allows cross-domain requests. Access-Control-Allow-Headers indicates the fields allowed in the request header.

2.2 Not a simple request.

When the browser determines that it is not a simple request, it will send two requests. First, the browser will automatically send a request with the request mode of options, and in the request header,

Add Access-Control-Request-Method to indicate the method of the next request,

Add Origin to indicate the source,

Add Access-Control-Request-Headers to indicate additional fields in the request header for the next request.

After receiving the request, the server needs to obtain the values in the three request headers and determine whether to allow cross-domain. If the request header returned by the server does not have any CORS related request header information, the browser will assume that it does not pass the pre-check and will not make a second request.

If the server accepts a request that crosses domains and verifies that the options pass, it returns Access-Control-Allow-Origin(indicating which sources are allowed for cross-domain requests), Access-Control-Allow-Methods(which request methods are allowed for cross-domain requests), and Access-Control-Allow-Headers(which allow additional fields contained in the request header). Then the browser sends the actual request.

(first options request)

(Second request)

II. Implementation of CORS at the server end

It is easy to use in. Net Core Web Api. First install the package Microsoft.AspNet.WebApi.Cors and add the following two sentences to StartUp

To use it, just add the feature [EnableCors("CorsTest")] to Controller or Action.

Now that the server has been configured, you need to make a cross-domain request through the front-end.

The test results are as follows:

(options request)

(Second request)

The above configuration allows all addresses to request this interface, or you can configure a single address.

services.AddCors(options => options.AddPolicy("CorsTest", p => p.WithOrigins("http://localhost:8089") .AllowAnyHeader() .AllowAnyMethod()); III. Parse Cors source code

Open CORS source code, mainly CorsMiddleware, CorsOptions, CorsPolicy, CorsPolicyBuilder, CorsResult, CorsService these classes.

CorsPolicy: is our configuration in Startup, such as which domain names are allowed to cross-domain requests, which cross-domain request methods are allowed, and which additional request headers are allowed. Each configuration corresponds to a name.

services.AddCors(options => options.AddPolicy("CorsTest", p => p.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod()));

CorsOptions: contains a dictionary IDictionPolicyMap, a project may have more than one Cors configuration, so this CorsOptions is to manage these configurations by configuration name.

CorsPolicyBuilder: This is how CorsPolicy is constructed.

CorsResult: is the result of validating the cross-domain procedure. For example, in the first Options request, the client sends Origi: http://localhost:8089, and the server returns Access-Control-Allow-Origin: http://localhost:8089. The server verifies whether the domain name http://localhost:8089 is allowed to cross domains. If it is allowed, the value "http://localhost:8089" is stored in the AllowedHeaders of CorsResult, and these are added to the HTTP request header when the request (first request) is returned.

CorsMiddleware: Cors middleware class, the main method is Invoke, every HTTP request will call this method.

Cors source code is relatively simple, easy to understand. You can write a project yourself, and then hang up the source code for single-step debugging.

After reading the above content, do you know how to implement. Net Core Cors middleware parsing method? If you still want to learn more skills or want to know more related content, welcome to pay attention to the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.