asp.net-mvc IIS 劫持 CORS 预检选项请求
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/22495240/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
IIS hiHymans CORS Preflight OPTIONS request
提问by Brad Cunningham
I am making a CORS POST request and setting the Content-Type header to json. This triggers a Preflight OPTIONS request to fire (this is good and expected)
我正在发出 CORS POST 请求并将 Content-Type 标头设置为 json。这会触发 Preflight OPTIONS 请求触发(这是好的和预期的)
This OPTIONS request is responded to with a 200 OK but this isn't coming from my WebAPI application.
此 OPTIONS 请求以 200 OK 响应,但这不是来自我的 WebAPI 应用程序。
I have a custom Message Handler in place and it never get's hit so the request is getting responded to by IIS prior to hitting ASP.NET it seems.
我有一个自定义的消息处理程序,它永远不会被命中,因此请求似乎在命中 ASP.NET 之前得到了 IIS 的响应。
I have found several posts on the subject and they say the following
我找到了几个关于这个主题的帖子,他们说了以下内容
Make sure WebDav is uninstalled / removed / disabled - DONE
Make sure the OPTIONSVerbHandler is removed / changed to use aspnet_isapi.dll - TRIED BOTH
Make sure the extensionlessURLHandler includes the OPTIONS verb - DONE
确保 WebDav 已卸载/删除/禁用 -完成
确保删除/更改OPTIONSVerbHandler以使用 aspnet_isapi.dll -两者都尝试过
确保 extensionlessURLHandler 包含 OPTIONS 动词 - DONE
However, my options request is still getting hiHymaned. By that I mean, IIS responds with at 200 OK but isn't including an Access-Control-Allow-Origin header in the response. It isn't including this header because it is never getting to my WebAPI CORS code that would set this header.
但是,我的选项请求仍然被劫持。我的意思是,IIS 以 200 OK 响应,但在响应中不包含 Access-Control-Allow-Origin 标头。它不包含此标头,因为它永远不会访问我的 WebAPI CORS 代码来设置此标头。
The two best posts I could find that sound like my issue are
我能找到的两个最好的帖子听起来像我的问题是
here: JQuery stuck at CORS preflight and IIS ghost response
此处:JQuery 停留在 CORS 预检和 IIS 幽灵响应
and here: http://brockallen.com/2012/10/18/cors-iis-and-webdav/
在这里:http: //brockallen.com/2012/10/18/cors-iis-and-webdav/
I have tried turning on Failed Request tracing (FERB) in IIS and set it to trace all 200 status codes. I don't ever see the options request being logged... Not sure if this means FERB doesn't track OPTIONS requests or if I need to change something in the FERB settings to make it track OPTIONS requests, Or if this is a clue to what my problem is?
我尝试在 IIS 中打开失败请求跟踪 (FERB) 并将其设置为跟踪所有 200 个状态代码。我从来没有看到选项请求被记录......不确定这是否意味着 FERB 不跟踪 OPTIONS 请求,或者我是否需要更改 FERB 设置中的某些内容以使其跟踪 OPTIONS 请求,或者这是否是一个线索我的问题是什么?
This is ASP.NET WebAPI 2.0 running on IIS 7.5 (Also tested on IIS 8 and IISExpress with same results) Doesn't matter what browser (Chrome, FF, and IE all fail the same way)
这是在 IIS 7.5 上运行的 ASP.NET WebAPI 2.0(也在 IIS 8 和 IISExpress 上进行了测试,结果相同)不管什么浏览器(Chrome、FF 和 IE 都以相同的方式失败)
I have tried everything I can find on the subject and still can't fix my problem.
我已经尝试了我能找到的关于该主题的所有内容,但仍然无法解决我的问题。
Help me StackOverflow, you're my only hope.
帮助我 StackOverflow,你是我唯一的希望。
回答by Tom Hall
A couple of things you can try here, all web.config related, firstly modify your modules element to include the attribute runAllManagedModulesForAllRequests="true", as below:
你可以在这里尝试一些事情,所有 web.config 相关,首先修改你的 modules 元素以包含属性runAllManagedModulesForAllRequests="true",如下所示:
<modules runAllManagedModulesForAllRequests="true">
<remove name="WebDavModule" />
</modules>
Then set your handlers to the below:
然后将您的处理程序设置为以下内容:
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="WebDav" />
<remove name="OPTIONSVerbHandler" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
This should do the trick, but if it doesn't, as a last resort you can force IIS to output the correct headers with the below:
这应该可以解决问题,但如果没有,作为最后的手段,您可以强制 IIS 使用以下内容输出正确的标头:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
</customHeaders>
</httpProtocol>
</system.webServer>
Be wary of the wildcard value, you should really set this to the domain name that your site will be hosted on.
小心通配符值,您应该真正将其设置为您的站点将在其上托管的域名。
回答by Anatoly Alekseev
that's what worked for me after 4 hours of searching/experimenting:
经过 4 个小时的搜索/实验,这对我有用:
<handlers>
<remove name="OPTIONSVerbHandler" />
<add name="OPTIONSVerbHandler" path="*" verb="OPTIONS" modules="IsapiModule" scriptProcessor="C:\Windows\System32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="None" />
</handlers>
回答by jdehlin
I had the same issue and the following web.config settings fixed it for me.
我遇到了同样的问题,以下 web.config 设置为我修复了它。
<modules runAllManagedModulesForAllRequests="false">
<remove name="FormsAuthenticationModule" />
</modules>
<handlers>
<remove name="OPTIONSVerbHandler" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
I was then able to handle CORS OPTIONS requests manually in Application_BeginRequest.
然后我能够在 Application_BeginRequest 中手动处理 CORS OPTIONS 请求。
I was originally using the library detailed in this blog postfor handling CORS requests. The product I'm working on requires that runAllManagedModulesForAllRequests be set to false, though. This is why I had to set up a custom implementation, but if you don't have that requirement you should give that library a try. It worked great when I was able to have runAllManagedModulesForAllRequests set to true.
我最初使用这篇博文中详述的库来处理 CORS 请求。不过,我正在开发的产品要求将 runAllManagedModulesForAllRequests 设置为 false。这就是我必须设置自定义实现的原因,但如果您没有该要求,则应该尝试使用该库。当我能够将 runAllManagedModulesForAllRequests 设置为 true 时,它工作得很好。
回答by powdernine
I tried all of the above suggestions as well as others I found on SO and what mattered in my situation was we had Request Filtering enabled on IIS and the OPTIONS HTTP Verb was not in the list of allowed verbs. Once I added it I was able to sort out the rest of it.
我尝试了上述所有建议以及我在 SO 上找到的其他建议,在我的情况下重要的是我们在 IIS 上启用了请求过滤,而 OPTIONS HTTP Verb 不在允许的动词列表中。一旦我添加了它,我就能够整理出它的其余部分。
回答by Smithyhammer
In our case it was request filtering in IIS disabling OPTIONS verb at the root web application level. Open up IIS Manager, click on root application, click on Request Filtering, if OPTIONS appears in list either remove or Allow Verb. Wish I had checked this first as lots of wasted time.
在我们的例子中,它是 IIS 中的请求过滤,在根 Web 应用程序级别禁用 OPTIONS 动词。打开 IIS 管理器,单击根应用程序,单击请求过滤,如果 OPTIONS 出现在列表中,则删除或允许动词。希望我先检查一下,因为浪费了很多时间。
回答by jasmintmp
Check if URLScan tool is installed on IIS. When so check following section:
检查 IIS 上是否安装了 URLScan 工具。当这样检查以下部分时:
;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;
GET
HEAD
POST
OPTIONS
回答by Nico Timmerman
In my case, I missed the Microsoft.WebApi.Cors package. Installed this package and configured it like so in the WebApiConfig class:
就我而言,我错过了 Microsoft.WebApi.Cors 包。安装这个包并在 WebApiConfig 类中像这样配置它:
public static void Register(HttpConfiguration config)
{
config.MapHttpAttributeRoutes();
config.EnableCors(new EnableCorsAttribute("*","*","*"));
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
}
Please fine-tune this before using in production because you probably don't want to have wild-cards for everything
请在生产中使用之前对其进行微调,因为您可能不希望所有内容都使用通配符
回答by Shiroy
This is what worked for me:
这对我有用:
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
回答by Mahmoodvcs
In my case I did this:
就我而言,我这样做了:
<verbs allowUnlisted="true" applyToWebDAV="true">
<remove verb="OPTIONS"/>
<add verb="OPTIONS" allowed="true"/>
</verbs>
</requestFiltering>
</security>
When I added <add verb="OPTIONS" allowed="true"/>to the web.config, the application failed to start with this error
当我添加<add verb="OPTIONS" allowed="true"/>到 web.config 时,应用程序无法启动,出现此错误
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
Cannot add duplicate collection entry of type 'add' with unique key attribute 'verb' set to 'OPTIONS'
So I had to remove it first.
所以我必须先删除它。
回答by Rousonur Jaman
I have installed Microsoft.AspNet.WebApi.Cors& Microsoft.Owin.Corsfor my oWin based WebAPI and added app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);at config like below:
我已经为我的基于 oWin 的 WebAPI安装了Microsoft.AspNet.WebApi.Cors&Microsoft.Owin.Cors并app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);在如下配置中添加:
public class Startup : IStartup, IAppStartup
{
public void Configuration(IAppBuilder app)
{
var config = this.GetInjectionConfiguration();
BootstrapperWebApi bootstrapperWebApi = (BootstrapperWebApi)this.GetBootstrapperWebApi(config);
bootstrapperWebApi.Initialize(true)
.EnableLogging()
.DisableWebApiDefaultExceptionHandler();
WebApiConfig.Register(config);
app.UseOwinExceptionHandler();
app.Use<LoggerMiddleware>();
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
//others stuff
}
