Is ASP.NET core over implementing CORS specification or is my understand of the CORS specification imcomplete?
-
15-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
Overview:
- I have performed 2 experiments to understand the implementation of asp.net core libraries with regard to the CORS specification
- The experiment 1 shows an web page (html) is not able to make an AJAX request to another end point (asp.net core).
- The experiment 2 shows that after allowing CORS in the asp.net core application the web page is able to successfully make the the AJAX request.
- The question for me is "Why is a simple GET call with no cookies or auth token affected by CORS middleware"
- The other question is "How can a GET call be blocked by CORS without making a preflight OPTIONS call"
Experiment 1:
- Create a simple asp.net core api application with one end point https://localhost:5001/hello
- Create a html page, that hits the end point on load
- Run the asp.net core application
- Open the html page in a browser and observer the console
Observation 1:
- The empty html page loads
- There is an error in the console saying "Failed to load resource: net::ERR_CONNECTION_REFUSED"
- While checking the network tab of the browser, the GET call has failed.
- There has been no OPTIONS call
Experiment 2:
- Modify the asp.net core application to add a any origin cors policy
- Use the cors policy
- Run the asp.net core application
- Open the html page in a browser and observer the console
Observation 2:
- The empty html page loads
- There is NO error in the console saying "Failed to load resource: net::ERR_CONNECTION_REFUSED". The page is successfully able to access the resource from asp.net core application
- While checking the network tab of the browser, the GET call has succeeded.
- There has been no OPTIONS call
Doubt
- Why is adding CORS affecting this behavior. As per the CORS specification, simple get is not affected by CORS.
- Even if CORS is supposed to affect this. The behavior is not as per the CORS specification. There has been no OPTIONS call. The call that's failing is GET
asp.net core code
HelloController.cs
[ApiController]
[Route("[controller]")]
public class HelloController : ControllerBase
{
[HttpGet]
public string Hello()
{
return "hello";
}
}
StartUp.cs
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
//********************************************
//Enabled for the second experiment
services.AddCors(c =>
{
c.AddPolicy("AllowOrigin", options => options.AllowAnyOrigin());
});
//********************************************
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseHttpsRedirection();
app.UseRouting();
//***************************************
//Enable for the second experiment
app.UseCors("AllowOrigin");
//****************************************
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
HTML Code page.html
<html>
<body onload="updateDB();">
</body>
<script language="javascript">
function updateDB() {
var xhr = new XMLHttpRequest();
xhr.open("GET", "https://localhost:5001/hello", true);
xhr.send(null);
}
</script>
</html>
解决方案
I believe you are simply misunderstanding the (insanely complex) cors documentation.
A GET request doesn't need a preflight request, but is still subject to CORs unless its mode is no-cors.
Your browser is unlikely to use the no-cors mode for any javascript methods
"XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers."
If you browse directly to the url it will work, if you use javascript running in a browser the browser will throw an error
