已经有一段时间了，但我不确定.WithOrigins（ *）是通配符所有内容的有效方法。您是否尝试过使用.AllowAnyOrigin（）？甚至更好（从安全角度考虑），将WithOrigins与HTML文件所在的实际主机一起使用。如果这是本地地址，那么它将是您从中提供HTML页面的本地主机地址（我认为它与您的API不同）。

It's been a while, but I am not sure that .WithOrigins("*") is a valid way to wildcard everything. Have you tried using .AllowAnyOrigin() instead? Even better (from a security standpoint), use WithOrigins with the actual host of where the HTML file is hosted). If that is local, then it would be the localhost address you are serving the HTML page from (which I assume is different than you API).

类似（其中1234是托管HTML的实际本地端口）。

So something like (where 1234 is the actual local port you are hosting the HTML from).

app.UseCors(builder => builder.WithOrigins("https://localhost:1234"));

如果AllowAnyOrigin（）用于测试，可以。但是不要在生产中使用它。 Microsoft认为这是不安全的配置（请参见 https://docs.microsoft.com/zh-cn/aspnet/core/security/cors?view=aspnetcore-2.2#set-the-allowed-origins ）。产品中一律使用命名起源。

If AllowAnyOrigin() works for testing, fine. But don't use it in production. Microsoft considers this an insecure configuration (see https://docs.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-2.2#set-the-allowed-origins). Always used named origins in prod.