筆記一下,因為客戶端 js 呼叫 .NET 8 開發的服務出現了,打開 Browser Debug Console 看到
Access to XMLHttpRequest at '...' from origin 'https://test.xxx.com/api/apiaction' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested resource.
這時候查一下文件
https://learn.microsoft.com/zh-tw/aspnet/core/security/cors
筆記一下改動的程式碼,畢竟上次碰到都是 .NET Core 3.x 的時候了,已經有點不太一樣了..
基本上也很簡單除非你要做很細緻的設定,這邊我是全部網域都打開
這種完全開放的 CORS 設定 (允許任何來源、方法、標頭) 可能會帶來安全風險,通常只適用於:開發環境 (避免 CORS 限制影響測試)、內部系統 (所有存取的應用程式都是受信任的)
C# code:
<![CDATA[
public class Program
{
public static void Main(string[] args)
{
var builder = WebApplication.CreateBuilder(args);
//新增 Cors 設定
builder.Services.AddCors(options =>
{
options.AddPolicy("ALLOWALL",
policy => policy.AllowAnyOrigin() // 允許任意 Origin
.AllowAnyMethod() // 允許任意 HTTP Method (GET, POST, PUT, DELETE ..)
.AllowAnyHeader()); // 允許任意 Headers
});
// Add services to the container.
builder.Services.AddRazorPages();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
//這個要注意順序不然可能失效
app.UseCors("ALLOWALL"); // 啟用 CROS
app.UseAuthorization();
app.MapRazorPages();
app.Run();
}
}
]]>
不過問了一下 ChatGPT 他推薦這樣會比較好
<![CDATA[
options.AddPolicy("SecurePolicy",
policy => policy.WithOrigins("https://yourdomain.com") // 限制特定網域
.AllowMethods("GET", "POST") // 只允許 GET 和 POST
.AllowHeaders("Content-Type", "Authorization")); // 只允許特定標頭
]]>
