跨域CORS

一、跨域CORS是什么
当一个资源从与该资源本身所在的服务器的域或端口不同的域或不同的端口请求一个资源时,浏览器会发起一个跨域 HTTP 请求。出于安全考虑,浏览器会限制从脚本内发起的跨域HTTP请求或者拦截了服务器返回内容。例如,XMLHttpRequest 和 Fetch 遵循同源策略。因此,使用 XMLHttpRequest或 Fetch 的Web应用程序只能将HTTP请求发送到其自己的域;这种安全机制是为避免出现类似CSRF 跨站攻击等问题。
 
二、实现CORS
根据CORS的定义和W3C相关规范,明白了跨域的关键问题是在于服务端是否允许;而服务端是通过W3C所规定的相关CORS heades来实现的;相关headers如下:
Access-Control-Allow-Origin:*
该字段是必须的。它的值要么是请求时Origin字段的值,要么是一个*,表示接受任意域名的请求。
 
Access-Control-Allow-Methods: POST, GET, OPTIONS
该字段可选。表明服务器允许客户端使用 POST, GET 和 OPTIONS
 
Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
该字段可选。表明服务器允许请求中携带字段 X-PINGOTHER 与 Content-Type。
 
Access-Control-Max-Age: 86400
表明该响应的有效时间为 86400 秒,也就是 24 小时。在有效时间内,浏览器无须为同一请求再次发起预检请求。
 
Access-Control-Allow-Credentials: true
该字段可选。它的值是一个布尔值,表示是否允许发送Cookie。
 
 
三、WCF restful实现CORS
1.
跨域CORS跨域CORS
 1  /// <summary>
 2     /// js跨域过滤器
 3     /// </summary>
 4     [AttributeUsage(AttributeTargets.Class, AllowMultiple = true)]
 5     public class CORSAttribute : Attribute, IServiceBehavior
 6     {
 7         public void AddBindingParameters(ServiceDescription serviceDescription, ServiceHostBase serviceHostBase, Collection<ServiceEndpoint> endpoints, BindingParameterCollection bindingParameters)
 8         {
 9         }
10         /// <summary>
11         /// 扩展拦截
12         /// </summary>
13         /// <param name="serviceDescription"></param>
14         /// <param name="serviceHostBase"></param>
15         public void ApplyDispatchBehavior(ServiceDescription serviceDescription, ServiceHostBase serviceHostBase)
16         {
17             foreach (ChannelDispatcher channelDispatch in serviceHostBase.ChannelDispatchers)
18             {
19                 foreach (EndpointDispatcher endpointDispatch in channelDispatch.Endpoints)
20                 {
21                     endpointDispatch.DispatchRuntime.MessageInspectors.Add(new CrossDomain());
22                 }
23             }
24         }
25 
26         public void Validate(ServiceDescription serviceDescription, ServiceHostBase serviceHostBase)
27         {
28         }
29     }
View Code

2.

跨域CORS跨域CORS
  1 /// <summary>
  2     /// js跨域过滤器
  3     /// </summary>
  4     public class CrossDomain : IDispatchMessageInspector
  5     {
  6         #region IDispatchMessageInspector
  7         /// <summary>
  8         ///     token验证
  9         /// </summary>
 10         /// <param name="request"></param>
 11         /// <param name="channel"></param>
 12         /// <param name="instanceContext"></param>
 13         /// <returns></returns>
 14         public object AfterReceiveRequest(ref Message request, IClientChannel channel, InstanceContext instanceContext)
 15         {
 16             if (CrossDomain.DealOptions(ref request))
 17             {
 18                 return "3";
 19             }
 20             return string.Empty;
 21         }
 22 
 23         /// <summary>
 24         ///     回复内容
 25         /// </summary>
 26         /// <param name="reply"></param>
 27         /// <param name="correlationState"></param>
 28         public void BeforeSendReply(ref Message reply, object correlationState)
 29         {
 30             if ((string)correlationState == "3")
 31                 reply = MessageTempleHelper.GetDefault(JsonResultCode.SUCESS.ToString(), "OPTIONS");
 32             else
 33                 CrossDomain.DealtMessage(ref reply);
 34         }
 35         #endregion
 36 
 37 
 38         /// <summary>
 39         /// 对已处理的消息进行cross加工
 40         /// </summary>
 41         /// <param name="msg"></param>
 42         public static void DealtMessage(ref Message msg)
 43         {
 44             try
 45             {
 46                 var ct = ((HttpResponseMessageProperty)msg.Properties["httpResponse"]).Headers["Content-Type"];
 47 
 48                 if (MimeTypes.Contains(ct))
 49                 {
 50                     if (ct == MimeTypes[0])
 51                     {
 52                         if (!msg.Properties.ContainsKey("WebBodyFormatMessageProperty"))
 53                         {
 54                             msg.Properties.Add("WebBodyFormatMessageProperty", new WebBodyFormatMessageProperty(WebContentFormat.Json));
 55                         }
 56                         else if (msg.Properties["WebBodyFormatMessageProperty"] == new WebBodyFormatMessageProperty(WebContentFormat.Xml)) //强制将xml返回值改为json
 57                         {
 58                             msg.Properties.Remove("WebBodyFormatMessageProperty");
 59                             msg.Properties.Add("WebBodyFormatMessageProperty", new WebBodyFormatMessageProperty(WebContentFormat.Json));
 60                         }
 61                     }
 62                     var property = new HttpResponseMessageProperty();
 63                     property.StatusCode = HttpStatusCode.OK;
 64                     property.Headers.Add("Content-Type", ct);
 65                     property.Headers.Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
 66                     property.Headers.Add("Access-Control-Allow-Origin", "*");
 67                     property.Headers.Add("Access-Control-Allow-Headers", "Content-Type,X-Requested-With,Accept,imUserID,accessToken,appkey,userID,token");
 68                     property.Headers.Add("Access-Control-Request-Methods", "GET, POST, PUT, DELETE, OPTIONS");
 69                     property.SuppressEntityBody = false;
 70                     property.SuppressPreamble = false;
 71                     if (msg.Properties.ContainsKey("httpResponse"))
 72                         msg.Properties.Remove("httpResponse");
 73                     msg.Properties.Add("httpResponse", property);
 74                 }
 75             }
 76             catch (Exception ex)
 77             {
 78                 Log4NetUtil.WriteErrLog("CrossDomain.DealtMessage", ex);
 79             }
 80         }
 81 
 82         /// <summary>
 83         /// 处理新的消息
 84         /// </summary>
 85         /// <param name="msg"></param>
 86         public static void DealNewMessage(ref Message msg)
 87         {
 88             try
 89             {
 90                 msg.Properties.Add("WebBodyFormatMessageProperty", new WebBodyFormatMessageProperty(WebContentFormat.Json));
 91                 var property = new HttpResponseMessageProperty();
 92                 property.StatusCode = HttpStatusCode.OK;
 93                 property.Headers.Add("Content-Type", MimeTypes[0]);
 94                 property.Headers.Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
 95                 property.Headers.Add("Access-Control-Allow-Origin", "*");
 96                 property.Headers.Add("Access-Control-Allow-Headers", "Content-Type,X-Requested-With,Accept,imUserID,accessToken,appkey,userID,token");
 97                 property.Headers.Add("Access-Control-Request-Methods", "GET, POST, PUT, DELETE, OPTIONS");
 98                 property.SuppressEntityBody = false;
 99                 property.SuppressPreamble = false;
100                 if (msg.Properties.ContainsKey("httpResponse"))
101                     msg.Properties.Remove("httpResponse");
102                 msg.Properties.Add("httpResponse", property);
103             }
104             catch { }
105 
106         }
107 
108         /// <summary>
109         /// 对当前请求是OPTIONS进行处理
110         /// </summary>
111         /// <param name="request"></param>
112         /// <returns>已处理为true,未处理为false</returns>
113         public static bool DealOptions(ref Message request)
114         {
115             try
116             {
117                 if (((System.ServiceModel.Channels.HttpRequestMessageProperty)request.Properties["httpRequest"]).Method == "OPTIONS")
118                 {
119                     WebOperationContext.Current.OutgoingResponse.Headers.Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
120                     WebOperationContext.Current.OutgoingResponse.Headers.Add("Access-Control-Allow-Origin", "*");
121                     WebOperationContext.Current.OutgoingResponse.Headers.Add("Access-Control-Allow-Headers", "Content-Type,X-Requested-With,Accept,imUserID,accessToken,appkey,userID,token");
122                     WebOperationContext.Current.OutgoingResponse.Headers.Add("Access-Control-Request-Methods", "GET, POST, PUT, DELETE, OPTIONS");
123                     WebOperationContext.Current.OutgoingResponse.StatusCode = HttpStatusCode.Accepted;
124                     request.Close();
125                     return true;
126                 }
127             }
128             catch { }
129             return false;
130         }
131 
132 
133 
134         private static string[] _mimeTypes = null;
135 
136         /// <summary>
137         /// html格式
138         /// </summary>
139         public static string[] MimeTypes
140         {
141             get
142             {
143                 if (_mimeTypes == null)
144                 {
145                     _mimeTypes = new string[] {
146                         "application/json; charset=utf-8",
147                         "image/png"
148                     };
149                 }
150                 return _mimeTypes;
151             }
152         }
153     }
View Code

 

3.在所要公开的服务类上面[CORS],例如:
跨域CORS

 

四、js测试
 
    <script type="text/javascript">
        $(function () {
            $("button").click(function () {

                var postData = JSON.stringify({ name: "ASDF.txt", md5Code: "F006096956B5062F8EFB72AF4DF59BC2"});

                console.log(postData);

                $.ajax({
                    url: "http://127.0.0.1:16060/FileService/GetInfo",
                    headers: {
                        imUserID: "e82287ac45c14040ba8ef34b9c2dac29",
                        accessToken: "U6wJgLoAdxVXUpx5R6AdZnFW/ytU+kgnVzaejZZoSdR31lNoRmDsQz42viOP7Jtm3iz8L2COA16r9rl5YUvZPhpHAAWxLNJBWWjHGKibHYejUuerO9qoxEkb6Yi+apPf60MzfmZ+SIgwhs6UBYOx2AbTkMdywYPCgKh8Q/mlVImUz0BU6WG4QCqgdqIefGi3"
                    },
                    contentType: "application/json; charset=utf-8",
                    type: "post",
                    dataType: "json",
                    data: postData,
                    success: function (data) {
                        $("#s").html(JSON.stringify(data));
                        console.log(data);
                    },
                    error: function (e) {
                        $("#e").html(e);
                        console.log(e);
                    }
                });
            });

        });
    </script>

测试结果:

跨域CORS

 

 

上一篇:SQL FOR XML子句的各种用法


下一篇:无法使用SQL login去登陆SQL Server - 'Password did not match'