更新

CorsServer/CorsServer.WebApi31/Config/CorsOption.cs

@@ -8,23 +8,33 @@ namespace CorsServer.WebApi31
     public class CorsOption
     {
         /// <summary>
-        /// 允许跨域的域名列表
+        /// 允许跨域的请求来源
         /// </summary>
         public List<string> Origins { get; set; }
 
         /// <summary>
-        /// 允许跨域的方法
+        /// 允许跨域的HTTP方法
         /// </summary>
         public List<string> Methods { get; set; }
 
         /// <summary>
-        /// 允许跨域的请求头
+        /// 允许跨域的HTTP请求头
         /// </summary>
         public List<string> Headers { get; set; }
 
         /// <summary>
-        /// 允许跨域的ExposedHeader
+        /// 公开的非简单响应标头
         /// </summary>
         public List<string> ExposedHeaders { get; set; }
+
+        /// <summary>
+        /// 允许跨域请求中的凭据
+        /// </summary>
+        public bool AllowCredentials { get; set; }
+
+        /// <summary>
+        /// 预检过期时间
+        /// </summary>
+        public TimeSpan PreflightMaxAge { get; set; }
     }
 }

CorsServer/CorsServer.WebApi31/Startup.cs

@@ -16,7 +16,7 @@ namespace CorsServer.WebApi31
 {
     public class Startup
     {
-        public Startup(IConfiguration configuration,IHostEnvironment hostingEnvironment,IWebHostEnvironment webHostEnvironment)
+        public Startup(IConfiguration configuration, IHostEnvironment hostingEnvironment, IWebHostEnvironment webHostEnvironment)
         {
             Configuration = configuration;
         }
@@ -25,9 +25,9 @@ namespace CorsServer.WebApi31
 
         public void ConfigureServices(IServiceCollection services)
         {
-            #region Config
+            //Config
             services.Configure<CorsOption>(Configuration.GetSection("CORS"));
-            #endregion
+
             #region  CORS
             AddCors_Test(services);
             //AddCors_2(services);
@@ -60,51 +60,6 @@ namespace CorsServer.WebApi31
             });
         }
 
-        /// <summary>
-        /// 全部设置项说明
-        /// </summary>
-        private IServiceCollection AddCors_Info(IServiceCollection services)
-        {
-            services.AddCors(setup =>
-            {
-                setup.AddPolicy(CorsPolicyNameConst.DefaultPolicyName, build =>
-                {
-                    build
-
-                    //请求来源
-                    .AllowAnyOrigin()                               //允许任何请求来源
-                    //.WithOrigins()                                //允许指定请求来源
-                    .SetIsOriginAllowed(_ => true)            //使用Func<string bool> 委托方法，确定是否允许请求源跨域
-                    .SetIsOriginAllowedToAllowWildcardSubdomains()  //允许请求源中使用通配符(*等) 
-
-                    //请求方法(POST GET PUT DELETE OPTIONS等)
-                    .AllowAnyMethod()                               //允许所有方法
-                    //.WithMethods()                                //允许指定方法
-
-                    //请求头
-                    .AllowAnyHeader()                               //允许所有请求头
-                    //.WithHeaders()                                //允许指定请求头
-                    
-                    //凭据
-                    .AllowCredentials()                             //允许凭据：证书中包含缓存(cookies)和HTTP验证协议(HTTP authentication schemes)
-                    //.DisallowCredentials()                        //拒绝凭据
-
-                    //.WithExposedHeaders()                         //设置暴露的自定义响应头（默认情况下，浏览器只会暴露默认的响应头给应用，其它自定义影响头不会暴露给应用程序）
-                   ;
-
-                    /*特别说明：
-                      出于安全考虑：.net core 2.1开始, AllowAnyOrigin() 和 AllowCredentials() 不能同时使用
-                      解决方案：
-                                1、使用AllowCredentials()时，用.SetIsOriginAllowed(_ => true) 代替 AllowAnyOrigin()
-                                2、使用AllowCredentials()时，用 WithOrigins()指定请求来源(使用SetIsOriginAllowedToAllowWildcardSubdomains()来启用通配符) 代替 AllowAnyOrigin()
-                                3、自定义中间件
-                     */
-                });
-            });
-
-            return services;
-        }
-
         /// <summary>
         /// CORS 模板
         /// </summary>
@@ -118,8 +73,10 @@ namespace CorsServer.WebApi31
                     build
 
                     //请求来源
+                    //方法1：所有请求源
                     .AllowAnyOrigin()
-                    //.WithOrigins(corsOption.Origins.ToArray())
+
+                    //方法2：lamda方法中自定义
                     //.SetIsOriginAllowed(requestOrigin => 
                     //{
                     //    //请求源(请求的协议+主机+端口号，比如 http://wwwww.xxxx.com:80)
@@ -129,6 +86,10 @@ namespace CorsServer.WebApi31
 
                     //    return true;
                     //})
+
+                    //方法3：WithOrigins方法参数自定义
+                    //.WithOrigins(corsOption.Origins.ToArray())
+                    //允许在WithOrigins方法中使用通配符(*等)
                     //.SetIsOriginAllowedToAllowWildcardSubdomains()
 
                     //请求方法(POST GET PUT DELETE OPTIONS等)
@@ -144,6 +105,7 @@ namespace CorsServer.WebApi31
                     //.DisallowCredentials()
 
                     //.WithExposedHeaders()
+                    //.SetPreflightMaxAge(TimeSpan.FromMinutes(10))
                    ;
                 });
             });
@@ -151,6 +113,57 @@ namespace CorsServer.WebApi31
             return services;
         }
 
+        /// <summary>
+        /// 全部设置项说明
+        /// </summary>
+        private IServiceCollection AddCors_Info(IServiceCollection services)
+        {
+            services.AddCors(setup =>
+            {
+                setup.AddPolicy(CorsPolicyNameConst.DefaultPolicyName, build =>
+                {
+                    build
+
+                    //设置允许跨域的请求来源
+                    .AllowAnyOrigin()                                   //允许任何请求来源
+                    //.SetIsOriginAllowed(_=> true)                    //使用Func<string bool> 委托方法，自定义是否允许请求源跨域
+                    //.WithOrigins()                                    //允许指定请求来源
+                    //.SetIsOriginAllowedToAllowWildcardSubdomains()    //允许WithOrigins()方法，在请求源中使用通配符(*等) 
+
+                    //设置允许跨域的HTTP方法(POST GET PUT DELETE OPTIONS等)
+                    .AllowAnyMethod()                                   //允许所有方法
+                    //.WithMethods()                                    //允许指定方法
+
+                    //设置允许跨域的请求标头
+                    .AllowAnyHeader()                                   //允许所有请求头
+                                                                        //.WithHeaders()                                    //允许指定请求头
+
+                    //跨域请求中的凭据
+                    .AllowCredentials()                                 //允许凭据：证书中包含缓存(cookies)和HTTP验证协议(HTTP authentication schemes)
+                    //.DisallowCredentials()                            //拒绝凭据
+
+                    //设置公开的非简单响应标头                          /设置暴露的自定义响应头（默认情况下，浏览器只会暴露默认的响应头给应用，其它自定义影响头不会暴露给应用程序）
+                    .WithExposedHeaders("x-custom-a", "x-custom-b")
+
+                    //设置预检过期时间
+                    .SetPreflightMaxAge(TimeSpan.FromMinutes(10))  //此标头指定可缓存对预检请求的响应的时间长度
+                    ;
+
+                    /*特别说明：
+                      出于安全考虑：.net core 2.1开始, AllowAnyOrigin() 和 AllowCredentials() 不能同时使用
+                      解决方案：
+                                1、使用AllowCredentials()时，用.SetIsOriginAllowed(_ => true) 代替 AllowAnyOrigin()
+                                2、使用AllowCredentials()时，用 WithOrigins()指定请求来源(使用SetIsOriginAllowedToAllowWildcardSubdomains()来启用通配符) 代替 AllowAnyOrigin()
+                                3、自定义中间件
+                     */
+                });
+            });
+
+            return services;
+        }
+
+        #region 注册不同的Cors策略
+
         /// <summary>
         /// 测试
         /// </summary>
@@ -202,16 +215,16 @@ namespace CorsServer.WebApi31
 
                      //请求来源
                      .AllowAnyOrigin()
-                     //.WithOrigins()
+                    //.WithOrigins()
-                     //.SetIsOriginAllowed(_ => true)
+                    //.SetIsOriginAllowed(_ => true)
-                     //.SetIsOriginAllowedToAllowWildcardSubdomains()
+                    //.SetIsOriginAllowedToAllowWildcardSubdomains()
 
-                     //请求方法(POST GET PUT DELETE OPTIONS等)
+                    //请求方法(POST GET PUT DELETE OPTIONS等)
-                     //.AllowAnyMethod()
+                    //.AllowAnyMethod()
-                     //.WithMethods()
+                    //.WithMethods()
 
-                     //请求头
+                    //请求头
-                     //.AllowAnyHeader()
+                    //.AllowAnyHeader()
                     //.WithHeaders()
 
                     //凭据
@@ -294,5 +307,74 @@ namespace CorsServer.WebApi31
 
             return services;
         }
+
+        private IServiceCollection AddCors_Config(IServiceCollection services)
+        {
+            services.AddCors(setup =>
+              {
+                  var corsOption = services.BuildServiceProvider().GetRequiredService<IOptionsSnapshot<CorsOption>>().Value;
+                  setup.AddPolicy(CorsPolicyNameConst.DefaultPolicyName, builder =>
+                  {
+                      if (corsOption.Origins == null)
+                      {
+                          builder.SetIsOriginAllowed(_ => true);
+                      }
+                      else if (corsOption.Origins.Count == 0)
+                      {
+                          builder.SetIsOriginAllowed(_ => true);
+                      }
+                      else if (corsOption.Origins.Contains("*"))
+                      {
+                          builder.SetIsOriginAllowed(_ => true);
+                      }
+                      else
+                      {
+                          builder.WithOrigins(corsOption.Origins.ToArray());
+                          builder.SetIsOriginAllowedToAllowWildcardSubdomains();
+                      }
+
+                      if (corsOption.Methods == null || corsOption.Methods.Count == 0)
+                      {
+                          builder.AllowAnyMethod();
+                      }
+                      else
+                      {
+                          builder.WithMethods(corsOption.Methods.ToArray());
+                      }
+
+                      if (corsOption.Headers == null || corsOption.Headers.Count == 0)
+                      {
+                          builder.AllowAnyHeader();
+                      }
+                      else
+                      {
+                          builder.WithMethods(corsOption.Headers.ToArray());
+                      }
+
+                      if (corsOption.ExposedHeaders != null && corsOption.ExposedHeaders.Count > 0)
+                      {
+                          builder.WithExposedHeaders(corsOption.ExposedHeaders.ToArray());
+                      }
+
+                      if (corsOption.AllowCredentials)
+                      {
+                          builder.AllowCredentials();
+                      }
+                      else
+                      {
+                          builder.DisallowCredentials();
+                      }
+
+                      if (corsOption.PreflightMaxAge.TotalSeconds > 0)
+                      {
+                          builder.SetPreflightMaxAge(corsOption.PreflightMaxAge);
+                      }
+                  });
+              });
+
+            return services;
+        }
+
+        #endregion
     }
 }

CorsServer/CorsServer.WebApi31/StartupConfig.cs

@@ -0,0 +1,127 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace CorsServer.WebApi31
+{
+    public class StartupConfig
+    {
+        public StartupConfig(IConfiguration configuration, IHostEnvironment hostingEnvironment, IWebHostEnvironment webHostEnvironment)
+        {
+            Configuration = configuration;
+        }
+
+        public IConfiguration Configuration { get; }
+
+        public void ConfigureServices(IServiceCollection services)
+        {
+            //Config
+            services.Configure<CorsOption>(Configuration.GetSection("CORS"));
+
+            //Cors配置文件选项
+            AddCors_Config(services);
+
+            services.AddControllers();
+        }
+
+        public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IOptionsSnapshot<CorsOption> corsOtionsSnapshot)
+        {
+            if (env.IsDevelopment())
+            {
+                app.UseDeveloperExceptionPage();
+            }
+
+            app.UseRouting();
+
+            app.UseCors(CorsPolicyNameConst.DefaultPolicyName);
+
+            app.UseAuthorization();
+
+            app.UseEndpoints(endpoints =>
+            {
+                endpoints.MapControllers();
+            });
+        }
+
+        #region 注册不同的Cors策略
+
+        private IServiceCollection AddCors_Config(IServiceCollection services)
+        {
+            services.AddCors(setup =>
+              {
+                  var corsOption = services.BuildServiceProvider().GetRequiredService<IOptionsSnapshot<CorsOption>>().Value;
+                  setup.AddPolicy(CorsPolicyNameConst.DefaultPolicyName, builder =>
+                  {
+                      if (corsOption.Origins == null)
+                      {
+                          builder.SetIsOriginAllowed(_ => true);
+                      }
+                      else if (corsOption.Origins.Count == 0)
+                      {
+                          builder.SetIsOriginAllowed(_ => true);
+                      }
+                      else if (corsOption.Origins.Contains("*"))
+                      {
+                          builder.SetIsOriginAllowed(_ => true);
+                      }
+                      else
+                      {
+                          builder.WithOrigins(corsOption.Origins.ToArray());
+                          builder.SetIsOriginAllowedToAllowWildcardSubdomains();
+                      }
+
+                      if (corsOption.Methods == null || corsOption.Methods.Count == 0)
+                      {
+                          builder.AllowAnyMethod();
+                      }
+                      else
+                      {
+                          builder.WithMethods(corsOption.Methods.ToArray());
+                      }
+
+                      if (corsOption.Headers == null || corsOption.Headers.Count == 0)
+                      {
+                          builder.AllowAnyHeader();
+                      }
+                      else
+                      {
+                          builder.WithMethods(corsOption.Headers.ToArray());
+                      }
+
+                      if (corsOption.ExposedHeaders != null && corsOption.ExposedHeaders.Count > 0)
+                      {
+                          builder.WithExposedHeaders(corsOption.ExposedHeaders.ToArray());
+                      }
+
+                      if (corsOption.AllowCredentials)
+                      {
+                          builder.AllowCredentials();
+                      }
+                      else
+                      {
+                          builder.DisallowCredentials();
+                      }
+
+                      if (corsOption.PreflightMaxAge.TotalSeconds > 0)
+                      {
+                          builder.SetPreflightMaxAge(corsOption.PreflightMaxAge);
+                      }
+                  });
+              });
+
+            return services;
+        }
+
+        #endregion
+    }
+}

CorsServer/CorsServer.WebApi31/StartupDefaultPolicy.cs

@@ -0,0 +1,80 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace CorsServer.WebApi31
+{
+    public class StartupDefaultPolicy
+    {
+        public StartupDefaultPolicy(IConfiguration configuration, IHostEnvironment hostingEnvironment, IWebHostEnvironment webHostEnvironment)
+        {
+            Configuration = configuration;
+        }
+
+        public IConfiguration Configuration { get; }
+
+        public void ConfigureServices(IServiceCollection services)
+        {
+            //config
+            services.Configure<CorsOption>(Configuration.GetSection("CORS"));
+
+            //Cors
+            AddDefaultCors(services);
+
+            services.AddControllers();
+        }
+
+        public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IOptionsSnapshot<CorsOption> corsOtionsSnapshot)
+        {
+            if (env.IsDevelopment())
+            {
+                app.UseDeveloperExceptionPage();
+            }
+
+            //根路径：全局访问前辍 http://www.custom.com/PathBase/
+            //app.UsePathBase("/api/");
+
+            app.UseRouting();
+
+            app.UseCors();
+
+            app.UseAuthorization();
+
+            app.UseEndpoints(endpoints =>
+            {
+                endpoints.MapControllers();
+            });
+        }
+
+        /// <summary>
+        /// 设置默认策略Cors
+        /// </summary>
+        private IServiceCollection AddDefaultCors(IServiceCollection services)
+        {
+            services.AddCors(setupCors =>
+            {
+                setupCors.AddDefaultPolicy(build =>
+                {
+                    build
+                    .AllowAnyOrigin()
+                    .AllowAnyMethod()
+                    .AllowAnyHeader()
+                    .SetPreflightMaxAge(TimeSpan.FromMinutes(10))
+                    ;
+                });
+            });
+
+            return services;
+        }
+    }
+}

CorsServer/CorsServer.WebApi31/appsettings.json

@@ -4,7 +4,9 @@
     "Origins": ["*"],
     "Methods": [ "*" ],
     "Headers": [ "*" ],
-    "ExposedHeaders": ["x-custom-error"]
+    "AllowCredentials": false,
+    "ExposedHeaders": [ "x-custom-error" ],
+    "PreflightMaxAge": "00:20:30"
   },
   "Logging": {
     "LogLevel": {