CORS:当凭证标志为真时,不能在Access-Control-Allow-Origin中使用通配符 [英] CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true
问题描述
我有一个设置涉及
前端服务器(Node.js,domain:localhost:3000)< --->后端(Django,Ajax, localhost:8000)
浏览器< - webapp< - Node.js(服务应用程序)
浏览器(webapp) - > Ajax - > Django(提供ajax POST请求)
现在,我的问题是使用webapp使用的CORS设置Ajax调用后端服务器。在chrome中,我继续获得
当凭证标志为true时,Access-Control-Allow-Origin中不能使用通配符。
在firefox上不起作用。
我的Node.js设置是: p>
var allowCrossDomain = function(req,res,next){
res.header('Access-Control-Allow-Origin ','http:// localhost:8000 /');
res.header('Access-Control-Allow-Credentials',true);
res.header('Access-Control-Allow-Methods','GET,PUT,POST,DELETE');
res.header(Access-Control-Allow-Headers,Origin,X-Requested-With,Content-Type,Accept);
next();
};
webapp发出请求:
$。ajax ({
type:POST,
url:'http:// localhost:8000 / blah',
data:{},
xhrFields:{
withCredentials:true
},
crossDomain:true,
dataType:'json',
success:successHandler
});
因此,webapp发送的请求标头如下所示:
访问控制允许凭据:true
访问控制允许头文件:Origin,X-Requested-With,Content-Type,Accept
访问控制允许方法:GET,PUT,POST,DELETE'
内容类型:application / json
接受:* / *
接受编码: gzip,deflate,sdch
接受语言:en-US,en; q = 0.8
Cookie:csrftoken = ***; sessionid =***
这里是响应标题:
访问控制 - 允许标题:内容类型,*
访问控制允许凭据:true
访问控制 - 允许原点:*
访问控制允许方法:POST,GET,OPTIONS,PUT,DELETE
内容类型:application / json
我哪里错了?
编辑1:我一直在使用 chrome --disable-web-security
,但是现在想要事情实际工作。
编辑2:答案:
所以,我的解决方案 django-cors-headers
config:
CORS_ORIGIN_ALLOW_ALL = False
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_WHITELIST =(
'http:// localhost:3000'#这是问题的确,是http:// localhost:3000,而不是http:// localhost:3000 /
)
这是安全的一部分,你可以不这样做如果要允许凭据,则您的 Access-Control-Allow-Origin
不得使用 *
。您将必须指定确切的协议+域+端口。参考这些问题:
除了 *
是太宽容了,会失败使用凭据。所以设置 http:// localhost:3000
或 http:// localhost:8000
作为allow origin标题。 / p>
I have a setup involving
Frontend server (Node.js, domain: localhost:3000) <---> Backend (Django, Ajax, domain: localhost:8000)
Browser <-- webapp <-- Node.js (Serve the app)
Browser (webapp) --> Ajax --> Django(Serve ajax POST requests)
Now, my problem here is with CORS setup which the webapp uses to make Ajax calls to the backend server. In chrome, I keep getting
Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
doesn't work on firefox either.
My Node.js setup is:
var allowCrossDomain = function(req, res, next) {
res.header('Access-Control-Allow-Origin', 'http://localhost:8000/');
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
next();
};
And in Django I'm using this middleware along with this
The webapp makes requests as such:
$.ajax({
type: "POST",
url: 'http://localhost:8000/blah',
data: {},
xhrFields: {
withCredentials: true
},
crossDomain: true,
dataType: 'json',
success: successHandler
});
So, the request headers that the webapp sends looks like:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept"
Access-Control-Allow-Methods: 'GET,PUT,POST,DELETE'
Content-Type: application/json
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: csrftoken=***; sessionid="***"
And here's the response header:
Access-Control-Allow-Headers: Content-Type,*
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,GET,OPTIONS,PUT,DELETE
Content-Type: application/json
Where am I going wrong?!
Edit 1: I've been using chrome --disable-web-security
, but now want things to actually work.
Edit 2: Answer:
So, solution for me django-cors-headers
config:
CORS_ORIGIN_ALLOW_ALL = False
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_WHITELIST = (
'http://localhost:3000' # Here was the problem indeed and it has to be http://localhost:3000, not http://localhost:3000/
)
This is a part of security, you cannot do that. If you want to allow credentials then your Access-Control-Allow-Origin
must not use *
. You will have to specify the exact protocol + domain + port. For reference see these questions :
- Access-Control-Allow-Origin wildcard subdomains, ports and protocols
- Cross Origin Resource Sharing with Credentials
Besides *
is too permissive and would defeat use of credentials. So set http://localhost:3000
or http://localhost:8000
as the allow origin header.
这篇关于CORS:当凭证标志为真时,不能在Access-Control-Allow-Origin中使用通配符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!