Add cors articles
parent
aae0d1973f
commit
5e68ff28fa
|
@ -1,8 +1,79 @@
|
|||
.. include:: /stub-topic.txt
|
||||
Specifying a CORS Policy
|
||||
========================
|
||||
|
||||
|stub-icon| Specifying a CORS Policy
|
||||
====================================
|
||||
By `Mike Wasson <https://github.com/MikeWasson>`_
|
||||
|
||||
.. include:: /stub-notice.txt
|
||||
Browser security prevents a web page from making AJAX requests to another domain. This restriction is called the *same-origin policy*, and prevents a malicious site from reading sensitive data from another site. However, sometimes you might want to let other sites make cross-origin requests to your web app.
|
||||
|
||||
.. _issue: https://github.com/aspnet/Docs/issues/136
|
||||
`Cross Origin Resource Sharing <http://www.w3.org/TR/cors/>`_ is a W3C standard that allows a server to relax the same-origin policy. Using CORS, a server can explicitly allow some cross-origin requests while rejecting others. This topic shows how to enable CORS in your ASP.NET MVC 6 application. (For background on CORS, see :ref:`cors-how-cors-works`.)
|
||||
|
||||
|
||||
Add the CORS package
|
||||
--------------------
|
||||
|
||||
In your project.json file, add the following:
|
||||
|
||||
.. literalinclude:: cors-policy/sample/project.json
|
||||
:language: json
|
||||
:lines: 5,9-10
|
||||
:emphasize-lines: 2
|
||||
|
||||
|
||||
Configure CORS
|
||||
--------------
|
||||
|
||||
To configure CORS, call ``ConfigureCors`` in the ``ConfigureServices`` method of your ``Startup`` class, as shown here:
|
||||
|
||||
.. literalinclude:: cors-policy/sample/Startup.cs
|
||||
:language: csharp
|
||||
:lines: 10-21,27
|
||||
:dedent: 8
|
||||
|
||||
This example defines a CORS policy named "AllowSpecificOrigin" that allows cross-origin requests from "http://example.com" and no other origins. The lambda takes a ``CorsPolicyBuilder`` object. To learn more about the various CORS policy settings, see :ref:`cors-policy-options`.
|
||||
|
||||
Apply CORS Policies
|
||||
-------------------
|
||||
|
||||
The next step is to apply the policies. You can apply a CORS policy per action, per controller, or globally for all controllers in your application.
|
||||
|
||||
Per action
|
||||
^^^^^^^^^^
|
||||
|
||||
Add the ``[EnableCors]`` attribute to the action. Specify the policy name.
|
||||
|
||||
.. literalinclude:: cors-policy/sample/Controllers/HomeController.cs
|
||||
:language: csharp
|
||||
:lines: 7-13
|
||||
:dedent: 4
|
||||
|
||||
Per controller
|
||||
^^^^^^^^^^^^^^
|
||||
|
||||
Add the ``[EnableCors]`` attribute to the controller class. Specify the policy name.
|
||||
|
||||
.. literalinclude:: cors-policy/sample/Controllers/HomeController.cs
|
||||
:language: csharp
|
||||
:lines: 6-8
|
||||
:dedent: 4
|
||||
|
||||
Globally
|
||||
^^^^^^^^
|
||||
|
||||
Add the ``CorsAuthorizationFilterFactory`` filter to the global filter collection:
|
||||
|
||||
.. literalinclude:: cors-policy/sample/Startup.cs
|
||||
:language: csharp
|
||||
:lines: 10-12,22-26
|
||||
:dedent: 8
|
||||
|
||||
The precedence order is: Action, controller, global. Action-level policies take precedence over controller-level policies, and controller-level policies take precedence over global policies.
|
||||
|
||||
Disable CORS
|
||||
^^^^^^^^^^^^
|
||||
|
||||
To disable CORS for a controller or action, use the ``[DisableCors]`` attribute.
|
||||
|
||||
.. literalinclude:: cors-policy/sample/Controllers/HomeController.cs
|
||||
:language: csharp
|
||||
:lines: 15-19
|
||||
:dedent: 4
|
|
@ -0,0 +1,21 @@
|
|||
using Microsoft.AspNet.Cors.Core;
|
||||
using Microsoft.AspNet.Mvc;
|
||||
|
||||
namespace CorsMvc.Controllers
|
||||
{
|
||||
[EnableCors("AllowSpecificOrigin")]
|
||||
public class HomeController : Controller
|
||||
{
|
||||
[EnableCors("AllowSpecificOrigin")]
|
||||
public IActionResult Index()
|
||||
{
|
||||
return View();
|
||||
}
|
||||
|
||||
[DisableCors]
|
||||
public IActionResult About()
|
||||
{
|
||||
return View();
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
using Microsoft.AspNet.Builder;
|
||||
using Microsoft.AspNet.Mvc;
|
||||
using Microsoft.Framework.DependencyInjection;
|
||||
|
||||
namespace CorsMvc
|
||||
{
|
||||
public class Startup
|
||||
{
|
||||
|
||||
public void ConfigureServices(IServiceCollection services)
|
||||
{
|
||||
services.AddMvc();
|
||||
services.ConfigureCors(options =>
|
||||
{
|
||||
// Define one or more CORS policies
|
||||
options.AddPolicy("AllowSpecificOrigin",
|
||||
builder =>
|
||||
{
|
||||
builder.WithOrigins("http://example.com");
|
||||
});
|
||||
});
|
||||
|
||||
services.Configure<MvcOptions>(options =>
|
||||
{
|
||||
options.Filters.Add(new CorsAuthorizationFilterFactory("AllowSpecificOrigin"));
|
||||
});
|
||||
}
|
||||
|
||||
public void Configure(IApplicationBuilder app)
|
||||
{
|
||||
app.UseMvc();
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
{
|
||||
"webroot": "wwwroot",
|
||||
"version": "1.0.0-*",
|
||||
|
||||
"dependencies": {
|
||||
"Microsoft.AspNet.Server.IIS": "1.0.0-beta4",
|
||||
"Microsoft.AspNet.Server.WebListener": "1.0.0-beta4",
|
||||
"Microsoft.AspNet.Mvc": "6.0.0-beta4",
|
||||
"Microsoft.AspNet.Cors": "1.0.0-beta4"
|
||||
},
|
||||
|
||||
"commands": {
|
||||
"web": "Microsoft.AspNet.Hosting --server Microsoft.AspNet.Server.WebListener --server.urls http://localhost:5000"
|
||||
},
|
||||
|
||||
"frameworks": {
|
||||
"dnx451": { },
|
||||
"dnxcore50": { }
|
||||
},
|
||||
|
||||
"publishExclude": [
|
||||
"node_modules",
|
||||
"bower_components",
|
||||
"**.xproj",
|
||||
"**.user",
|
||||
"**.vspscc"
|
||||
],
|
||||
"exclude": [
|
||||
"wwwroot",
|
||||
"node_modules",
|
||||
"bower_components"
|
||||
]
|
||||
}
|
|
@ -1,8 +1,313 @@
|
|||
.. include:: /stub-topic.txt
|
||||
Enabling Cross-Origin Requests (CORS)
|
||||
=====================================
|
||||
|
||||
|stub-icon| Enabling CORS
|
||||
=========================
|
||||
By `Mike Wasson <https://github.com/MikeWasson>`_
|
||||
|
||||
.. include:: /stub-notice.txt
|
||||
Browser security prevents a web page from making AJAX requests to another domain. This restriction is called the *same-origin policy*, and prevents a malicious site from reading sensitive data from another site. However, sometimes you might want to let other sites make cross-origin requests to your web app.
|
||||
|
||||
`Cross Origin Resource Sharing <http://www.w3.org/TR/cors/>`_ (CORS) is a W3C standard that allows a server to relax the same-origin policy. Using CORS, a server can explicitly allow some cross-origin requests while rejecting others. CORS is safer and more flexible than earlier techniques such as `JSONP <http://en.wikipedia.org/wiki/JSONP>`_. This topic shows how to enable CORS in your ASP.NET 5 application.
|
||||
|
||||
In this article:
|
||||
- `What is "same origin"?`_
|
||||
- `Add the CORS package`_
|
||||
- `Configure CORS in your app`_
|
||||
- `CORS policy options`_
|
||||
- `How CORS works`_
|
||||
|
||||
.. note:: This topic covers general ASP.NET 5 apps. For information about CORS support in ASP.NET MVC 6, see :doc:`Specifying a CORS Policy </mvc/security/cors-policy>`.
|
||||
|
||||
What is "same origin"?
|
||||
----------------------
|
||||
|
||||
Two URLs have the same origin if they have identical schemes, hosts, and ports. (`RFC 6454 <http://tools.ietf.org/html/rfc6454>`_)
|
||||
|
||||
These two URLs have the same origin:
|
||||
|
||||
- http://example.com/foo.html
|
||||
- http://example.com/bar.html
|
||||
|
||||
These URLs have different origins than the previous two:
|
||||
|
||||
- http://example.net - Different domain
|
||||
- http://example.com:9000/foo.html - Different port
|
||||
- https://example.com/foo.html - Different scheme
|
||||
- http://www.example.com/foo.html - Different subdomain
|
||||
|
||||
.. note:: Internet Explorer does not consider the port when comparing origins.
|
||||
|
||||
Add the CORS package
|
||||
--------------------
|
||||
|
||||
In your project.json file, add the following:
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample1/project.json
|
||||
:language: json
|
||||
:lines: 5,8-9
|
||||
:emphasize-lines: 2
|
||||
|
||||
Configure CORS in your app
|
||||
--------------------------
|
||||
|
||||
This section shows how to configure CORS. First, add the CORS service. In Startup.cs:
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample1/Startup.cs
|
||||
:language: csharp
|
||||
:lines: 9-12
|
||||
:dedent: 8
|
||||
|
||||
Next, configure a cross-origin policy, using the ``CorsPolicyBuilder`` class. There are two ways to do this. The first is to call UseCors with a lambda:
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample1/Startup.cs
|
||||
:language: csharp
|
||||
:lines: 15-18, 24
|
||||
:dedent: 8
|
||||
|
||||
The lambda takes a CorsPolicyBuilder object. I’ll describe all of the configuration options later in this topic. In this example, the policy allows cross-origin requests from "http://example.com" and no other origins.
|
||||
|
||||
Note that CorsPolicyBuilder has a fluent API, so you can chain method calls:
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample3/Startup.cs
|
||||
:language: csharp
|
||||
:lines: 21-24
|
||||
:dedent: 12
|
||||
:emphasize-lines: 3
|
||||
|
||||
The second approach is to define one or more named CORS policies, and then select the policy by name at run time.
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample2/Startup.cs
|
||||
:language: csharp
|
||||
:lines: 9-18,20-23,27
|
||||
:dedent: 8
|
||||
|
||||
This example adds a CORS policy named "AllowSpecificOrigin". To select the policy, pass the name to UseCors.
|
||||
|
||||
.. _cors-policy-options:
|
||||
|
||||
CORS policy options
|
||||
-------------------
|
||||
|
||||
This section describes the various options that you can set in a CORS policy.
|
||||
|
||||
- `Set the allowed origins`_
|
||||
- `Set the allowed HTTP methods`_
|
||||
- `Set the allowed request headers`_
|
||||
- `Set the exposed response headers`_
|
||||
- `Credentials in cross-origin requests`_
|
||||
- `Set the preflight expiration time`_
|
||||
|
||||
For some options it may be helpful to read `How CORS works`_ first.
|
||||
|
||||
Set the allowed origins
|
||||
^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To allow one or more specific origins:
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample4/Startup.cs
|
||||
:language: csharp
|
||||
:start-after: BEGIN01
|
||||
:end-before: END01
|
||||
:dedent: 16
|
||||
|
||||
To allow all origins:
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample4/Startup.cs
|
||||
:language: csharp
|
||||
:start-after: BEGIN02
|
||||
:end-before: END02
|
||||
:dedent: 16
|
||||
|
||||
Consider carefully before allowing requests from any origin. It means that literally any website can make AJAX calls to your app.
|
||||
|
||||
Set the allowed HTTP methods
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
To specify which HTTP methods are allowed to access the resource.
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample4/Startup.cs
|
||||
:language: csharp
|
||||
:start-after: BEGIN03
|
||||
:end-before: END03
|
||||
:dedent: 16
|
||||
|
||||
To allow all HTTP methods:
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample4/Startup.cs
|
||||
:language: csharp
|
||||
:start-after: BEGIN04
|
||||
:end-before: END04
|
||||
:dedent: 16
|
||||
|
||||
This affects pre-flight requests and Access-Control-Allow-Methods header.
|
||||
|
||||
Set the allowed request headers
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
A CORS preflight request might include an Access-Control-Request-Headers header, listing the HTTP headers set by the application (the so-called "author request headers").
|
||||
|
||||
To whitelist specific headers:
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample4/Startup.cs
|
||||
:language: csharp
|
||||
:start-after: BEGIN05
|
||||
:end-before: END05
|
||||
:dedent: 16
|
||||
|
||||
To allow all author request headers:
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample4/Startup.cs
|
||||
:language: csharp
|
||||
:start-after: BEGIN06
|
||||
:end-before: END06
|
||||
:dedent: 16
|
||||
|
||||
Browsers are not entirely consistent in how they set Access-Control-Request-Headers. If you set headers to anything other than "*", you should include at least "accept", "content-type", and "origin", plus any custom headers that you want to support.
|
||||
|
||||
Set the exposed response headers
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
By default, the browser does not expose all of the response headers to the application. (See http://www.w3.org/TR/cors/#simple-response-header.) The response headers that are available by default are:
|
||||
|
||||
- Cache-Control
|
||||
- Content-Language
|
||||
- Content-Type
|
||||
- Expires
|
||||
- Last-Modified
|
||||
- Pragma
|
||||
|
||||
The CORS spec calls these *simple response headers*. To make other headers available to the application:
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample4/Startup.cs
|
||||
:language: csharp
|
||||
:start-after: BEGIN07
|
||||
:end-before: END07
|
||||
:dedent: 16
|
||||
|
||||
Credentials in cross-origin requests
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Credentials require special handling in a CORS request. By default, the browser does not send any credentials with a cross-origin request. Credentials include cookies as well as HTTP authentication schemes. To send credentials with a cross-origin request, the client must set XMLHttpRequest.withCredentials to true.
|
||||
|
||||
Using XMLHttpRequest directly:
|
||||
|
||||
.. code-block:: js
|
||||
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open('get', 'http://www.example.com/api/test');
|
||||
xhr.withCredentials = true;
|
||||
|
||||
In jQuery:
|
||||
|
||||
.. code-block:: js
|
||||
|
||||
$.ajax({
|
||||
type: 'get',
|
||||
url: 'http://www.example.com/home',
|
||||
xhrFields: {
|
||||
withCredentials: true
|
||||
}
|
||||
|
||||
In addition, the server must allow the credentials. To allow cross-origin credentials:
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample4/Startup.cs
|
||||
:language: csharp
|
||||
:start-after: BEGIN08
|
||||
:end-before: END08
|
||||
:dedent: 16
|
||||
|
||||
Now the HTTP response will include an Access-Control-Allow-Credentials header, which tells the browser that the server allows credentials for a cross-origin request.
|
||||
|
||||
If the browser sends credentials, but the response does not include a valid Access-Control-Allow-Credentials header, the browser will not expose the response to the application, and the AJAX request fails.
|
||||
|
||||
Be very careful about allowing cross-origin credentials, because it means a website at another domain can send a logged-in user’s credentials to your app on the user’s behalf, without the user being aware. The CORS spec also states that setting origins to "*" (all origins) is invalid if the Access-Control-Allow-Credentials header is present.
|
||||
|
||||
Set the preflight expiration time
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The Access-Control-Max-Age header specifies how long the response to the preflight request can be cached. To set this header:
|
||||
|
||||
.. literalinclude:: cors/sample/src/CorsExample4/Startup.cs
|
||||
:language: csharp
|
||||
:start-after: BEGIN09
|
||||
:end-before: END09
|
||||
:dedent: 16
|
||||
|
||||
.. _cors-how-cors-works:
|
||||
|
||||
How CORS works
|
||||
--------------
|
||||
|
||||
This section describes what happens in a CORS request, at the level of the HTTP messages. It’s important to understand how CORS works, so that you can configure the your CORS policy correctly, and troubleshoot if things don’t work as you expect.
|
||||
|
||||
The CORS specification introduces several new HTTP headers that enable cross-origin requests. If a browser supports CORS, it sets these headers automatically for cross-origin requests; you don’t need to do anything special in your JavaScript code.
|
||||
|
||||
Here is an example of a cross-origin request. The "Origin" header gives the domain of the site that is making the request::
|
||||
|
||||
GET http://myservice.azurewebsites.net/api/test HTTP/1.1
|
||||
Referer: http://myclient.azurewebsites.net/
|
||||
Accept: */*
|
||||
Accept-Language: en-US
|
||||
Origin: http://myclient.azurewebsites.net
|
||||
Accept-Encoding: gzip, deflate
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
|
||||
Host: myservice.azurewebsites.net
|
||||
|
||||
If the server allows the request, it sets the Access-Control-Allow-Origin header. The value of this header either matches the Origin header, or is the wildcard value "*", meaning that any origin is allowed.::
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Cache-Control: no-cache
|
||||
Pragma: no-cache
|
||||
Content-Type: text/plain; charset=utf-8
|
||||
Access-Control-Allow-Origin: http://myclient.azurewebsites.net
|
||||
Date: Wed, 20 May 2015 06:27:30 GMT
|
||||
Content-Length: 12
|
||||
|
||||
Test message
|
||||
|
||||
If the response does not include the Access-Control-Allow-Origin header, the AJAX request fails. Specifically, the browser disallows the request. Even if the server returns a successful response, the browser does not make the response available to the client application.
|
||||
|
||||
Preflight Requests
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
For some CORS requests, the browser sends an additional request, called a "preflight request", before it sends the actual request for the resource.
|
||||
The browser can skip the preflight request if the following conditions are true:
|
||||
|
||||
- The request method is GET, HEAD, or POST, and
|
||||
- The application does not set any request headers other than Accept, Accept-Language, Content-Language, Content-Type, or Last-Event-ID, and
|
||||
- The Content-Type header (if set) is one of the following:
|
||||
|
||||
- application/x-www-form-urlencoded
|
||||
- multipart/form-data
|
||||
- text/plain
|
||||
|
||||
The rule about request headers applies to headers that the application sets by calling setRequestHeader on the XMLHttpRequest object. (The CORS specification calls these "author request headers".) The rule does not apply to headers the browser can set, such as User-Agent, Host, or Content-Length.
|
||||
|
||||
Here is an example of a preflight request::
|
||||
|
||||
OPTIONS http://myservice.azurewebsites.net/api/test HTTP/1.1
|
||||
Accept: */*
|
||||
Origin: http://myclient.azurewebsites.net
|
||||
Access-Control-Request-Method: PUT
|
||||
Access-Control-Request-Headers: accept, x-my-custom-header
|
||||
Accept-Encoding: gzip, deflate
|
||||
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)
|
||||
Host: myservice.azurewebsites.net
|
||||
Content-Length: 0
|
||||
|
||||
The pre-flight request uses the HTTP OPTIONS method. It includes two special headers:
|
||||
|
||||
- Access-Control-Request-Method: The HTTP method that will be used for the actual request.
|
||||
- Access-Control-Request-Headers: A list of request headers that the application set on the actual request. (Again, this does not include headers that the browser sets.)
|
||||
|
||||
Here is an example response, assuming that the server allows the request::
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Cache-Control: no-cache
|
||||
Pragma: no-cache
|
||||
Content-Length: 0
|
||||
Access-Control-Allow-Origin: http://myclient.azurewebsites.net
|
||||
Access-Control-Allow-Headers: x-my-custom-header
|
||||
Access-Control-Allow-Methods: PUT
|
||||
Date: Wed, 20 May 2015 06:33:22 GMT
|
||||
|
||||
The response includes an Access-Control-Allow-Methods header that lists the allowed methods, and optionally an Access-Control-Allow-Headers header, which lists the allowed headers. If the preflight request succeeds, the browser sends the actual request, as described earlier.
|
||||
|
||||
.. _issue: https://github.com/aspnet/Docs/issues/94
|
|
@ -0,0 +1,58 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio 14
|
||||
VisualStudioVersion = 14.0.22823.1
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{CCA5EA01-8CD1-4333-A107-5B299642DED7}"
|
||||
EndProject
|
||||
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{D23F3ED5-A214-4473-9AC1-AE600B2D4C2D}"
|
||||
ProjectSection(SolutionItems) = preProject
|
||||
global.json = global.json
|
||||
EndProjectSection
|
||||
EndProject
|
||||
Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "CorsExample1", "src\CorsExample1\CorsExample1.xproj", "{CC651D90-4F4E-4529-AAC5-37E48B82D1EC}"
|
||||
EndProject
|
||||
Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "CorsExample2", "src\CorsExample2\CorsExample2.xproj", "{93B54C02-B425-487B-9621-4FD41F6325DA}"
|
||||
EndProject
|
||||
Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "CorsMvc", "src\CorsMvc\CorsMvc.xproj", "{10B8C34D-BE81-4A02-984B-55AB75B90643}"
|
||||
EndProject
|
||||
Project("{8BB2217D-0F2D-49D1-97BC-3654ED321F3B}") = "CorsExample4", "src\CorsExample4\CorsExample4.xproj", "{3FC1564E-EC79-4B82-AE2C-563215453F94}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|Any CPU = Debug|Any CPU
|
||||
Release|Any CPU = Release|Any CPU
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{CC651D90-4F4E-4529-AAC5-37E48B82D1EC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
|
||||
{CC651D90-4F4E-4529-AAC5-37E48B82D1EC}.Debug|Any CPU.Build.0 = Debug|Any CPU
|
||||
{CC651D90-4F4E-4529-AAC5-37E48B82D1EC}.Release|Any CPU.ActiveCfg = Release|Any CPU
|
||||
{CC651D90-4F4E-4529-AAC5-37E48B82D1EC}.Release|Any CPU.Build.0 = Release|Any CPU
|
||||
{93B54C02-B425-487B-9621-4FD41F6325DA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
|
||||
{93B54C02-B425-487B-9621-4FD41F6325DA}.Debug|Any CPU.Build.0 = Debug|Any CPU
|
||||
{93B54C02-B425-487B-9621-4FD41F6325DA}.Release|Any CPU.ActiveCfg = Release|Any CPU
|
||||
{93B54C02-B425-487B-9621-4FD41F6325DA}.Release|Any CPU.Build.0 = Release|Any CPU
|
||||
{10B8C34D-BE81-4A02-984B-55AB75B90643}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
|
||||
{10B8C34D-BE81-4A02-984B-55AB75B90643}.Debug|Any CPU.Build.0 = Debug|Any CPU
|
||||
{10B8C34D-BE81-4A02-984B-55AB75B90643}.Release|Any CPU.ActiveCfg = Release|Any CPU
|
||||
{10B8C34D-BE81-4A02-984B-55AB75B90643}.Release|Any CPU.Build.0 = Release|Any CPU
|
||||
{EF312103-8CD2-4469-8403-F6E7D1C8A92D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
|
||||
{EF312103-8CD2-4469-8403-F6E7D1C8A92D}.Debug|Any CPU.Build.0 = Debug|Any CPU
|
||||
{EF312103-8CD2-4469-8403-F6E7D1C8A92D}.Release|Any CPU.ActiveCfg = Release|Any CPU
|
||||
{EF312103-8CD2-4469-8403-F6E7D1C8A92D}.Release|Any CPU.Build.0 = Release|Any CPU
|
||||
{3FC1564E-EC79-4B82-AE2C-563215453F94}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
|
||||
{3FC1564E-EC79-4B82-AE2C-563215453F94}.Debug|Any CPU.Build.0 = Debug|Any CPU
|
||||
{3FC1564E-EC79-4B82-AE2C-563215453F94}.Release|Any CPU.ActiveCfg = Release|Any CPU
|
||||
{3FC1564E-EC79-4B82-AE2C-563215453F94}.Release|Any CPU.Build.0 = Release|Any CPU
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
GlobalSection(NestedProjects) = preSolution
|
||||
{CC651D90-4F4E-4529-AAC5-37E48B82D1EC} = {CCA5EA01-8CD1-4333-A107-5B299642DED7}
|
||||
{93B54C02-B425-487B-9621-4FD41F6325DA} = {CCA5EA01-8CD1-4333-A107-5B299642DED7}
|
||||
{10B8C34D-BE81-4A02-984B-55AB75B90643} = {CCA5EA01-8CD1-4333-A107-5B299642DED7}
|
||||
{EF312103-8CD2-4469-8403-F6E7D1C8A92D} = {CCA5EA01-8CD1-4333-A107-5B299642DED7}
|
||||
{3FC1564E-EC79-4B82-AE2C-563215453F94} = {CCA5EA01-8CD1-4333-A107-5B299642DED7}
|
||||
EndGlobalSection
|
||||
EndGlobal
|
|
@ -0,0 +1,6 @@
|
|||
{
|
||||
"projects": [ "src", "test" ],
|
||||
"sdk": {
|
||||
"version": "1.0.0-beta4"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<PropertyGroup>
|
||||
<VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
|
||||
<VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>cc651d90-4f4e-4529-aac5-37e48b82d1ec</ProjectGuid>
|
||||
<RootNamespace>CorsExamples</RootNamespace>
|
||||
<BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
|
||||
<OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup>
|
||||
<SchemaVersion>2.0</SchemaVersion>
|
||||
<DevelopmentServerPort>42354</DevelopmentServerPort>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
|
||||
</Project>
|
|
@ -0,0 +1,26 @@
|
|||
using Microsoft.AspNet.Builder;
|
||||
using Microsoft.AspNet.Http;
|
||||
using Microsoft.Framework.DependencyInjection;
|
||||
|
||||
namespace CorsExamples
|
||||
{
|
||||
public class Startup
|
||||
{
|
||||
public void ConfigureServices(IServiceCollection services)
|
||||
{
|
||||
services.AddCors();
|
||||
}
|
||||
|
||||
// Shows UseCos with CorsPolicyBuilder
|
||||
public void Configure(IApplicationBuilder app)
|
||||
{
|
||||
app.UseCors(builder =>
|
||||
builder.WithOrigins("http://example.com"));
|
||||
|
||||
app.Run(async (context) =>
|
||||
{
|
||||
await context.Response.WriteAsync("Hello World!");
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"webroot": "wwwroot",
|
||||
"version": "1.0.0-*",
|
||||
|
||||
"dependencies": {
|
||||
"Microsoft.AspNet.Server.IIS": "1.0.0-beta4",
|
||||
"Microsoft.AspNet.Server.WebListener": "1.0.0-beta4",
|
||||
"Microsoft.AspNet.Cors": "1.0.0-beta4"
|
||||
},
|
||||
|
||||
"commands": {
|
||||
"web": "Microsoft.AspNet.Hosting --server Microsoft.AspNet.Server.WebListener --server.urls http://localhost:5000"
|
||||
},
|
||||
|
||||
"frameworks": {
|
||||
"dnx451": { },
|
||||
"dnxcore50": { }
|
||||
},
|
||||
|
||||
"publishExclude": [
|
||||
"node_modules",
|
||||
"bower_components",
|
||||
"**.xproj",
|
||||
"**.user",
|
||||
"**.vspscc"
|
||||
],
|
||||
"exclude": [
|
||||
"wwwroot",
|
||||
"node_modules",
|
||||
"bower_components"
|
||||
]
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<PropertyGroup>
|
||||
<VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
|
||||
<VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>93b54c02-b425-487b-9621-4fd41f6325da</ProjectGuid>
|
||||
<RootNamespace>CorsExample2</RootNamespace>
|
||||
<BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
|
||||
<OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup>
|
||||
<SchemaVersion>2.0</SchemaVersion>
|
||||
<DevelopmentServerPort>42461</DevelopmentServerPort>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
|
||||
</Project>
|
|
@ -0,0 +1,29 @@
|
|||
using Microsoft.AspNet.Builder;
|
||||
using Microsoft.AspNet.Http;
|
||||
using Microsoft.Framework.DependencyInjection;
|
||||
|
||||
namespace CorsExample2
|
||||
{
|
||||
public class Startup
|
||||
{
|
||||
public void ConfigureServices(IServiceCollection services)
|
||||
{
|
||||
services.AddCors();
|
||||
services.ConfigureCors(options =>
|
||||
{
|
||||
options.AddPolicy("AllowSpecificOrigin",
|
||||
builder => builder.WithOrigins("http://example.com"));
|
||||
});
|
||||
}
|
||||
|
||||
// Shows UseCors with named policy
|
||||
public void Configure(IApplicationBuilder app)
|
||||
{
|
||||
app.UseCors("AllowSpecificOrigin");
|
||||
app.Run(async (context) =>
|
||||
{
|
||||
await context.Response.WriteAsync("Hello World!");
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"webroot": "wwwroot",
|
||||
"version": "1.0.0-*",
|
||||
|
||||
"dependencies": {
|
||||
"Microsoft.AspNet.Server.IIS": "1.0.0-beta4",
|
||||
"Microsoft.AspNet.Server.WebListener": "1.0.0-beta4",
|
||||
"Microsoft.AspNet.Cors": "1.0.0-beta4"
|
||||
},
|
||||
|
||||
"commands": {
|
||||
"web": "Microsoft.AspNet.Hosting --server Microsoft.AspNet.Server.WebListener --server.urls http://localhost:5000"
|
||||
},
|
||||
|
||||
"frameworks": {
|
||||
"dnx451": { },
|
||||
"dnxcore50": { }
|
||||
},
|
||||
|
||||
"publishExclude": [
|
||||
"node_modules",
|
||||
"bower_components",
|
||||
"**.xproj",
|
||||
"**.user",
|
||||
"**.vspscc"
|
||||
],
|
||||
"exclude": [
|
||||
"wwwroot",
|
||||
"node_modules",
|
||||
"bower_components"
|
||||
]
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<PropertyGroup>
|
||||
<VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
|
||||
<VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>ef312103-8cd2-4469-8403-f6e7d1c8a92d</ProjectGuid>
|
||||
<RootNamespace>CorsExample3</RootNamespace>
|
||||
<BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
|
||||
<OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup>
|
||||
<SchemaVersion>2.0</SchemaVersion>
|
||||
<DevelopmentServerPort>42527</DevelopmentServerPort>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
|
||||
</Project>
|
|
@ -0,0 +1,32 @@
|
|||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using System.Threading.Tasks;
|
||||
using Microsoft.AspNet.Builder;
|
||||
using Microsoft.AspNet.Http;
|
||||
using Microsoft.Framework.DependencyInjection;
|
||||
|
||||
namespace CorsExample3
|
||||
{
|
||||
public class Startup
|
||||
{
|
||||
public void ConfigureServices(IServiceCollection services)
|
||||
{
|
||||
services.AddCors();
|
||||
}
|
||||
|
||||
// Shows fluent API
|
||||
public void Configure(IApplicationBuilder app)
|
||||
{
|
||||
app.UseCors(builder =>
|
||||
builder.WithOrigins("http://example.com")
|
||||
.AllowAnyHeader()
|
||||
);
|
||||
|
||||
app.Run(async (context) =>
|
||||
{
|
||||
await context.Response.WriteAsync("Hello World!");
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"webroot": "wwwroot",
|
||||
"version": "1.0.0-*",
|
||||
|
||||
"dependencies": {
|
||||
"Microsoft.AspNet.Server.IIS": "1.0.0-beta4",
|
||||
"Microsoft.AspNet.Server.WebListener": "1.0.0-beta4",
|
||||
"Microsoft.AspNet.Cors": "1.0.0-beta4"
|
||||
},
|
||||
|
||||
"commands": {
|
||||
"web": "Microsoft.AspNet.Hosting --server Microsoft.AspNet.Server.WebListener --server.urls http://localhost:5000"
|
||||
},
|
||||
|
||||
"frameworks": {
|
||||
"dnx451": { },
|
||||
"dnxcore50": { }
|
||||
},
|
||||
|
||||
"publishExclude": [
|
||||
"node_modules",
|
||||
"bower_components",
|
||||
"**.xproj",
|
||||
"**.user",
|
||||
"**.vspscc"
|
||||
],
|
||||
"exclude": [
|
||||
"wwwroot",
|
||||
"node_modules",
|
||||
"bower_components"
|
||||
]
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="14.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<PropertyGroup>
|
||||
<VisualStudioVersion Condition="'$(VisualStudioVersion)' == ''">14.0</VisualStudioVersion>
|
||||
<VSToolsPath Condition="'$(VSToolsPath)' == ''">$(MSBuildExtensionsPath32)\Microsoft\VisualStudio\v$(VisualStudioVersion)</VSToolsPath>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.Props" Condition="'$(VSToolsPath)' != ''" />
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>3fc1564e-ec79-4b82-ae2c-563215453f94</ProjectGuid>
|
||||
<RootNamespace>CorsExample4</RootNamespace>
|
||||
<BaseIntermediateOutputPath Condition="'$(BaseIntermediateOutputPath)'=='' ">..\..\artifacts\obj\$(MSBuildProjectName)</BaseIntermediateOutputPath>
|
||||
<OutputPath Condition="'$(OutputPath)'=='' ">..\..\artifacts\bin\$(MSBuildProjectName)\</OutputPath>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup>
|
||||
<SchemaVersion>2.0</SchemaVersion>
|
||||
<DevelopmentServerPort>42595</DevelopmentServerPort>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VSToolsPath)\DNX\Microsoft.DNX.targets" Condition="'$(VSToolsPath)' != ''" />
|
||||
</Project>
|
|
@ -0,0 +1,108 @@
|
|||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using System.Threading.Tasks;
|
||||
using Microsoft.AspNet.Builder;
|
||||
using Microsoft.AspNet.Http;
|
||||
using Microsoft.Framework.DepEND0encyInjection;
|
||||
|
||||
namespace CorsExample4
|
||||
{
|
||||
public class Startup
|
||||
{
|
||||
public void ConfigureServices(IServiceCollection services)
|
||||
{
|
||||
services.AddCors();
|
||||
services.ConfigureCors(options =>
|
||||
{
|
||||
// BEGIN01
|
||||
options.AddPolicy("AllowSpecificOrigins",
|
||||
builder =>
|
||||
{
|
||||
builder.WithOrigins("http://example.com", "http://www.contoso.com");
|
||||
});
|
||||
// END01
|
||||
|
||||
// BEGIN02
|
||||
options.AddPolicy("AllowAllOrigins",
|
||||
builder =>
|
||||
{
|
||||
builder.AllowAnyOrigin();
|
||||
});
|
||||
// END02
|
||||
|
||||
// BEGIN03
|
||||
options.AddPolicy("AllowSpecificMethods",
|
||||
builder =>
|
||||
{
|
||||
builder.WithOrigins("http://example.com")
|
||||
.WithMethods("GET", "POST", "HEAD");
|
||||
});
|
||||
// END03
|
||||
|
||||
// BEGIN04
|
||||
options.AddPolicy("AllowAllMethods",
|
||||
builder =>
|
||||
{
|
||||
builder.WithOrigins("http://example.com")
|
||||
.AllowAnyMethod();
|
||||
});
|
||||
// END04
|
||||
|
||||
// BEGIN05
|
||||
options.AddPolicy("AllowHeaders",
|
||||
builder =>
|
||||
{
|
||||
builder.WithOrigins("http://example.com")
|
||||
.WithHeaders("accept", "content-type", "origin", "x-custom-header");
|
||||
});
|
||||
// END05
|
||||
|
||||
// BEGIN06
|
||||
options.AddPolicy("AllowAllHeaders",
|
||||
builder =>
|
||||
{
|
||||
builder.WithOrigins("http://example.com")
|
||||
.AllowAnyHeader();
|
||||
});
|
||||
// END06
|
||||
|
||||
// BEGIN07
|
||||
options.AddPolicy("ExposeResponseHeaders",
|
||||
builder =>
|
||||
{
|
||||
builder.WithOrigins("http://example.com")
|
||||
.WithExposedHeaders("x-custom-header");
|
||||
});
|
||||
// END07
|
||||
|
||||
// BEGIN08
|
||||
options.AddPolicy("AllowCredentials",
|
||||
builder =>
|
||||
{
|
||||
builder.WithOrigins("http://example.com")
|
||||
.AllowCredentials();
|
||||
});
|
||||
// END08
|
||||
|
||||
// BEGIN09
|
||||
options.AddPolicy("SetPreflightExpiration",
|
||||
builder =>
|
||||
{
|
||||
builder.WithOrigins("http://example.com")
|
||||
.SetPreflightMaxAge(TimeSpan.FromSeconds(2520));
|
||||
});
|
||||
// END09
|
||||
});
|
||||
}
|
||||
|
||||
public void Configure(IApplicationBuilder app)
|
||||
{
|
||||
app.UseCors("AllowSpecificOrigins");
|
||||
app.Run(async (context) =>
|
||||
{
|
||||
await context.Response.WriteAsync("Hello World!");
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"webroot": "wwwroot",
|
||||
"version": "1.0.0-*",
|
||||
|
||||
"dependencies": {
|
||||
"Microsoft.AspNet.Server.IIS": "1.0.0-beta4",
|
||||
"Microsoft.AspNet.Server.WebListener": "1.0.0-beta4",
|
||||
"Microsoft.AspNet.Cors": "1.0.0-beta4"
|
||||
},
|
||||
|
||||
"commands": {
|
||||
"web": "Microsoft.AspNet.Hosting --server Microsoft.AspNet.Server.WebListener --server.urls http://localhost:5000"
|
||||
},
|
||||
|
||||
"frameworks": {
|
||||
"dnx451": { },
|
||||
"dnxcore50": { }
|
||||
},
|
||||
|
||||
"publishExclude": [
|
||||
"node_modules",
|
||||
"bower_components",
|
||||
"**.xproj",
|
||||
"**.user",
|
||||
"**.vspscc"
|
||||
],
|
||||
"exclude": [
|
||||
"wwwroot",
|
||||
"node_modules",
|
||||
"bower_components"
|
||||
]
|
||||
}
|
Loading…
Reference in New Issue