[C#] .net core kestrel proxy on iis Model Binding 錯誤

  • 244
  • 0

No Referrer When Downgrade!

前情提要:

送封包的時候先送 option確認後,才會再送出實際request(get、post、put、delete)

但連續送兩個post時,偶爾會發生option成功但request失敗!

查看封包發現

1. response header有掉資料,導致Access-Control-Allow-Origin失敗

2. .net core 在body裡抓json做Model binding的時候失敗

debug 直接對kestrel連線時完全不會有錯誤,但透過iis代理就是有這小問題!

 

解2:

發現瀏覽器封包裡預設

Referrer Policy:no-referrer-when-downgrade

把kestrel跟iis都設定成https就沒有model binding問題了

雖說就算都走http應該也可,但只要經過iis似乎就會影響

但明明iis也是設定http而已....

 

解1:

因為在AuthirizationFilter裡面有處裡封包,似乎是在這裡遺失header

只要註解後就沒問題了

 //HttpRequest request = context.HttpContext.Request;
 //request.EnableRewind();            
 //LogRequest(request, userAccount, accessAction);    //call db to log
 //request.Body.Seek(0, SeekOrigin.Begin);

微軟在issue的留言如下:

Remember that the CORS middleware is adding the response headers for CORS into the response very early on (first thing in my startup) ... so unless some other middleware does a Response.Clear() (as the DevelopmentExceptionPage middleware does) or otherwise modifies the headers to remove the CORS headers, then they'll still be there on whatever response is generated.

再另外想辦法處裡封包避免header掉了,但掉header是偶爾掉偶爾不掉真的很機車

debug模式又從沒掉過,一上iis就掉.....唉

而微軟的解法:加入一個自訂的Filter檢查送入封包,送出時再檢查有沒有,沒有的話再加回"Access-Control"相關的header!

然後已經加入net core 2.2.0修改項目中 ( this feature is in the 2.2.0-preview1 milstone.)

靠!浪費一堆時間

https://github.com/aspnet/Home/issues/2378

https://stackoverflow.com/questions/48649878/cors-in-net-core-2-0-no-access-control-allow-origin-header-is-present-on-the