How to implement WebApi Ajax cross-domain requests using CORS
This time I will bring you the method of using CORS to implement WebApi Ajax cross-domain requests. What are the precautions for using CORS to implement WebApi Ajax cross-domain requests. The following is a practical case, let's take a look.
Overview
Everyone who has used ASP.NET Web API knows how easy it is to use. There are no complicated configuration files , a simple ApiController plus the required Action will work. However, when using APIs, you will always encounter the problem of cross-domain requests. Especially today with the proliferation of various APPs, cross-domain requests for APIs are unavoidable.
By default, in order to prevent CSRF cross-site forgery attacks (or javascript's Same-Origin Policy), when a web page obtains data from another domain There will be restrictions. There are some ways to break through this limitation, which is the well-known JSONP. Of course, this is just one of many solutions. Since JSONP only supports GET requests, it can no longer meet the needs of today's complex businesses. CORS (Cross Origin Resource Sharing https://www.w3.org/wiki/CORS) cross-domain resource sharing is a new header specification that allows the server to relax cross-domain restrictions and switch restrictions based on headers. Or don't restrict cross-domain requests. The important thing is that it supports all http request methods.
Problem
XMLHttpRequest cross-domain POST or GET request, the request method will automatically become an OPTIONS problem.
Due to the existence of the CORS (cross origin resource share) specification, the browser will first send an options sniff, and at the same time bring the origin in the header to determine whether there is cross-domain request permission. The server responds with the value of access control allow origin. , for the browser to match the origin. If it matches, the post request will be officially sent. Even if the server allows the program to access cross-domain, if the options request is not supported, the request will die.
Reason
For the sake of security, the browser will use the transparent server verification mechanism of Preflighted Request to support developers to use custom headers, GET Or methods other than POST, and different types of subject content, that is, an options request will be sent first,
Ask the server whether the request will be correct (allowed) to ensure that the request is safe to send.
The situations where OPTIONS appear are generally:
1. Non-GET, POST request
2. The content-type of POST request is not the conventional three: application/x- www-form-urlencoded (form submitted using HTTP POST method), multipart/form-data (same as above, but mainly used when form submission is accompanied by file upload), text/plain (plain text )
3. The payload of the POST request is text/html
4. Set custom headers
OPTIONS request headers will include the following headers: Origin, Access -Control-Request-Method, Access-Control-Request-Headers. After sending this request, the server can set the following headers to communicate with the browser to determine whether to allow the request.
Access-Control-Allow-Origin, Access-Control-Allow-Method, Access-Control-Allow-Headers
Solution
This method is powerful and can solve complex cross-domain requests of ASP.NET Web API, carrying complex header information, body content and authorization verification information
Method 1
public class CrosHandler:DelegatingHandler
{
private const string Origin = "Origin";
private const string AccessControlRequestMethod = "Access-Control-Request-Method";
private const string AccessControlRequestHeaders = "Access-Control-Request-Headers";
private const string AccessControlAllowOrign = "Access-Control-Allow-Origin";
private const string AccessControlAllowMethods = "Access-Control-Allow-Methods";
private const string AccessControlAllowHeaders = "Access-Control-Allow-Headers";
private const string AccessControlAllowCredentials = "Access-Control-Allow-Credentials";
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
bool isCrosRequest = request.Headers.Contains(Origin);
bool isPrefilightRequest = request.Method == HttpMethod.Options;
if (isCrosRequest)
{
Task<HttpResponseMessage> taskResult = null;
if (isPrefilightRequest)
{
taskResult = Task.Factory.StartNew<HttpResponseMessage>(() =>
{
HttpResponseMessage response = new HttpResponseMessage(System.Net.HttpStatusCode.OK);
response.Headers.Add(AccessControlAllowOrign,
request.Headers.GetValues(Origin).FirstOrDefault());
string method = request.Headers.GetValues(AccessControlRequestMethod).FirstOrDefault();
if (method != null)
{
response.Headers.Add(AccessControlAllowMethods, method);
}
string headers = string.Join(", ", request.Headers.GetValues(AccessControlRequestHeaders));
if (!string.IsNullOrWhiteSpace(headers))
{
response.Headers.Add(AccessControlAllowHeaders, headers);
}
response.Headers.Add(AccessControlAllowCredentials, "true");
return response;
}, cancellationToken);
}
else
{
taskResult = base.SendAsync(request, cancellationToken).ContinueWith<HttpResponseMessage>(t =>
{
var response = t.Result;
response.Headers.Add(AccessControlAllowOrign,
request.Headers.GetValues(Origin).FirstOrDefault());
response.Headers.Add(AccessControlAllowCredentials, "true");
return response;
});
}
return taskResult;
}
return base.SendAsync(request, cancellationToken);
}
}How to use, add
protected void Application_Start()
{
IOCConfig.RegisterAll();
AreaRegistration.RegisterAllAreas();
WebApiConfig.Register(GlobalConfiguration.Configuration);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
GlobalConfiguration.Configuration.MessageHandlers.Add(new CrosHandler());
}Method 2
Add the following configuration to the configuration file in the Global.asax file. This method is simple and can handle simple cross-domain requests
<system.webServer> <httpProtocol> <customHeaders> <add name="Access-Control-Allow-Origin" value="*" /> <add name="Access-Control-Allow-Headers" value="Content-Type" /> <add name="Access-Control-Allow-Methods" value="GET, POST,OPTIONS" /> </customHeaders> </httpProtocol> <system.webServer>
I believe you have mastered the method after reading the case in this article. For more exciting information, please pay attention to other related articles on the php Chinese website!
Recommended reading:
How to convert entity classes and xml files
Detailed explanation of the method of Ajax partial update of Razor page
The above is the detailed content of How to implement WebApi Ajax cross-domain requests using CORS. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to solve the 403 error encountered by jQuery AJAX request
Feb 20, 2024 am 10:07 AM
Title: Methods and code examples to resolve 403 errors in jQuery AJAX requests. The 403 error refers to a request that the server prohibits access to a resource. This error usually occurs because the request lacks permissions or is rejected by the server. When making jQueryAJAX requests, you sometimes encounter this situation. This article will introduce how to solve this problem and provide code examples. Solution: Check permissions: First ensure that the requested URL address is correct and verify that you have sufficient permissions to access the resource.
How to solve jQuery AJAX request 403 error
Feb 19, 2024 pm 05:55 PM
jQuery is a popular JavaScript library used to simplify client-side development. AJAX is a technology that sends asynchronous requests and interacts with the server without reloading the entire web page. However, when using jQuery to make AJAX requests, you sometimes encounter 403 errors. 403 errors are usually server-denied access errors, possibly due to security policy or permission issues. In this article, we will discuss how to resolve jQueryAJAX request encountering 403 error
PHP and Ajax: Building an autocomplete suggestion engine
Jun 02, 2024 pm 08:39 PM
Build an autocomplete suggestion engine using PHP and Ajax: Server-side script: handles Ajax requests and returns suggestions (autocomplete.php). Client script: Send Ajax request and display suggestions (autocomplete.js). Practical case: Include script in HTML page and specify search-input element identifier.
How to solve the problem of jQuery AJAX error 403?
Feb 23, 2024 pm 04:27 PM
How to solve the problem of jQueryAJAX error 403? When developing web applications, jQuery is often used to send asynchronous requests. However, sometimes you may encounter error code 403 when using jQueryAJAX, indicating that access is forbidden by the server. This is usually caused by server-side security settings, but there are ways to work around it. This article will introduce how to solve the problem of jQueryAJAX error 403 and provide specific code examples. 1. to make
How to get variables from PHP method using Ajax?
Mar 09, 2024 pm 05:36 PM
Using Ajax to obtain variables from PHP methods is a common scenario in web development. Through Ajax, the page can be dynamically obtained without refreshing the data. In this article, we will introduce how to use Ajax to get variables from PHP methods, and provide specific code examples. First, we need to write a PHP file to handle the Ajax request and return the required variables. Here is sample code for a simple PHP file getData.php:
PHP vs. Ajax: Solutions for creating dynamically loaded content
Jun 06, 2024 pm 01:12 PM
Ajax (Asynchronous JavaScript and XML) allows adding dynamic content without reloading the page. Using PHP and Ajax, you can dynamically load a product list: HTML creates a page with a container element, and the Ajax request adds the data to that element after loading it. JavaScript uses Ajax to send a request to the server through XMLHttpRequest to obtain product data in JSON format from the server. PHP uses MySQL to query product data from the database and encode it into JSON format. JavaScript parses the JSON data and displays it in the page container. Clicking the button triggers an Ajax request to load the product list.
PHP and Ajax: Ways to Improve Ajax Security
Jun 01, 2024 am 09:34 AM
In order to improve Ajax security, there are several methods: CSRF protection: generate a token and send it to the client, add it to the server side in the request for verification. XSS protection: Use htmlspecialchars() to filter input to prevent malicious script injection. Content-Security-Policy header: Restrict the loading of malicious resources and specify the sources from which scripts and style sheets are allowed to be loaded. Validate server-side input: Validate input received from Ajax requests to prevent attackers from exploiting input vulnerabilities. Use secure Ajax libraries: Take advantage of automatic CSRF protection modules provided by libraries such as jQuery.
What are the ajax versions?
Nov 22, 2023 pm 02:00 PM
Ajax is not a specific version, but a technology that uses a collection of technologies to asynchronously load and update web page content. Ajax does not have a specific version number, but there are some variations or extensions of ajax: 1. jQuery AJAX; 2. Axios; 3. Fetch API; 4. JSONP; 5. XMLHttpRequest Level 2; 6. WebSockets; 7. Server-Sent Events; 8, GraphQL, etc.
