ajax 在 Azure 网站(Azure 应用服务)中启用 Access-Control-Allow-Credentials 标头
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/36860423/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Enable Access-Control-Allow-Credentials header in Azure website (Azure App Services)
提问by Maxime Rossini
We recently migrated an API application from Azure Cloud Services to Azure Websites, and some clients are still using our legacy protocol for authentication, which uses cookies (instead of the usual Authorization: BearerHTTP header). We need to support this authentication protocol for a little longer as the clients will not be able to migrate right away.
我们最近将 API 应用程序从 Azure 云服务迁移到 Azure 网站,一些客户端仍在使用我们的旧协议进行身份验证,该协议使用 cookie(而不是通常的Authorization: BearerHTTP 标头)。我们需要再支持此身份验证协议一段时间,因为客户端将无法立即迁移。
To support cookies in a cross-origin ajax request directed to the API, the client needs to set the withCredentialssetting to truein the XMLHttpRequest, and the server needs to repond with the Access-Control-Allow-Credentialsheader as well to any CORS request.
为了在定向到 API 的跨域 ajax 请求中支持 cookie,客户端需要在 XMLHttpRequest 中withCredentials设置为true,并且服务器需要Access-Control-Allow-Credentials响应标头以及任何 CORS 请求。
The problem we face is that the Azure Website manages CORS all by itself, and uses its own configuration (which is limited to a list of allowed origins) for the response, which does not allow this header to be set... thus breaking the application for all our Ajax clients!
我们面临的问题是,Azure 网站完全自己管理 CORS,并使用自己的配置(仅限于允许的来源列表)进行响应,这不允许设置此标头……从而破坏了适用于我们所有 Ajax 客户端的应用程序!
Is there a way to (temporarily) add this header in the responses?
有没有办法(临时)在响应中添加这个标头?
回答by Maxime Rossini
We finally managed to understand the behavior of the Azure Apps CORS middleware. To disable it, you have to clear every single allowed origin entry in the CORS blade of your web app (including *). Then you can manage CORS by yourself, either using the Web Api 2 functionality or using the web.config.
我们终于了解了 Azure Apps CORS 中间件的行为。要禁用它,您必须清除 Web 应用程序(包括*)的 CORS 刀片中的每个允许的原始条目。然后您可以自己管理 CORS,使用 Web Api 2 功能或使用 web.config。
The information is even available in the documentation:
该信息甚至可以在文档中找到:
Don't try to use both Web API CORS and App Service CORS in one API app. App Service CORS will take precedence and Web API CORS will have no effect. For example, if you enable one origin domain in App Service, and enable all origin domains in your Web API code, your Azure API app will only accept calls from the domain you specified in Azure.
不要尝试在一个 API 应用程序中同时使用 Web API CORS 和应用服务 CORS。应用服务 CORS 优先,Web API CORS 无效。例如,如果您在应用服务中启用一个源域,并在您的 Web API 代码中启用所有源域,则您的 Azure API 应用将只接受来自您在 Azure 中指定的域的调用。
So the final answer is: If your application does not need a very specific CORS management, you can use Azure App Service CORS. Otherwise you will need to handle it yourself and disable all CORS configuration in the web app.
所以最后的答案是:如果你的应用程序不需要非常具体的 CORS 管理,你可以使用 Azure App Service CORS。否则,您将需要自己处理并禁用 Web 应用程序中的所有 CORS 配置。
回答by Connor McMahon
This is now supported in the Azure App Service CORS feature. Unfortunately there is not a UX for it yet, so it is a little painful to enable.There are currently two straightforward methods.
Azure 应用服务 CORS 功能现在支持此功能。不幸的是,它还没有一个用户体验,所以启用它有点痛苦。目前有两种直接的方法。
On the Azure Portal, navigate to your Web App. Navigate to API > CORS. There is now a checkbox for
Enable Access-Control-Allow-Credentials. Check this box and pressSave.Use the Azure CLI with the following command:
在 Azure 门户上,导航到您的 Web 应用。导航到 API > CORS。现在有一个复选框
Enable Access-Control-Allow-Credentials。选中此框并按Save。通过以下命令使用 Azure CLI:
az resource update --name web --resource-group myResourceGroup --namespace Microsoft.Web --resource-type config --parent sites/<app_name> --set properties.cors.supportCredentials=true --api-version 2015-06-01
az resource update --name web --resource-group myResourceGroup --namespace Microsoft.Web --resource-type config --parent sites/<app_name> --set properties.cors.supportCredentials=true --api-version 2015-06-01
You can see more documentation here.
您可以在此处查看更多文档。
NOTE: This does not work with *as an allowed origin. This is a security choice we decided to make.
注意:这不适*用于允许的来源。这是我们决定做出的安全选择。
回答by Etienne Margraff
This is Something that you can do in the web.config file that is available in your web app.
这是您可以在 Web 应用程序中可用的 web.config 文件中执行的操作。
You can edit it using Visual Studio Online (Monaco) which is a Tools that you add from the Azure Portal.
您可以使用 Visual Studio Online (Monaco) 对其进行编辑,该工具是您从 Azure 门户添加的工具。
Read more here : http://enable-cors.org/server_iis7.html
在此处阅读更多信息:http: //enable-cors.org/server_iis7.html
