No Referrer When Downgrade!
前情提要:
送封包的時候先送 option確認後,才會再送出實際request(get、post、put、delete)
但連續送兩個post時,偶爾會發生option成功但request失敗!
查看封包發現
1. response header有掉資料,導致Access-Control-Allow-Origin失敗
2. .net core 在body裡抓json做Model binding的時候失敗
debug 直接對kestrel連線時完全不會有錯誤,但透過iis代理就是有這小問題!
解2:
發現瀏覽器封包裡預設
Referrer Policy:no-referrer-when-downgrade
把kestrel跟iis都設定成https就沒有model binding問題了
雖說就算都走http應該也可,但只要經過iis似乎就會影響
但明明iis也是設定http而已....
解1:
因為在AuthirizationFilter裡面有處裡封包,似乎是在這裡遺失header
只要註解後就沒問題了
//HttpRequest request = context.HttpContext.Request;
//request.EnableRewind();
//LogRequest(request, userAccount, accessAction); //call db to log
//request.Body.Seek(0, SeekOrigin.Begin);
微軟在issue的留言如下:
Remember that the CORS middleware is adding the response headers for CORS into the response very early on (first thing in my startup) ... so unless some other middleware does a Response.Clear() (as the DevelopmentExceptionPage middleware does) or otherwise modifies the headers to remove the CORS headers, then they'll still be there on whatever response is generated.
再另外想辦法處裡封包避免header掉了,但掉header是偶爾掉偶爾不掉真的很機車
debug模式又從沒掉過,一上iis就掉.....唉
而微軟的解法:加入一個自訂的Filter檢查送入封包,送出時再檢查有沒有,沒有的話再加回"Access-Control"相關的header!
然後已經加入net core 2.2.0修改項目中 ( this feature is in the 2.2.0-preview1 milstone.)
靠!浪費一堆時間
https://github.com/aspnet/Home/issues/2378
https://stackoverflow.com/questions/48649878/cors-in-net-core-2-0-no-access-control-allow-origin-header-is-present-on-the