来源< origin>是Access-Control-Allow-Origin不允许的 [英] Origin <origin> is not allowed by Access-Control-Allow-Origin

问题描述

XMLHttpRequest cannot load http://localhost:8080/api/test. Origin http://localhost:3000 is not allowed by Access-Control-Allow-Origin. 

我阅读了有关跨域Ajax请求的信息，并了解了潜在的安全性问题.就我而言，有2台服务器在本地运行，并且希望在测试期间启用跨域请求.

I read about cross domain ajax requests, and understand the underlying security issue. In my case, 2 servers are running locally, and like to enable cross domain requests during testing.

localhost:8080 - Google Appengine dev server
localhost:3000 - Node.js server

从节点服务器加载页面时，我正在向localhost:8080 - GAE server发出ajax请求.最简单，最安全的方法是什么(不想使用disable-web-security选项启动chrome).如果必须更改'Content-Type'，是否应该在节点服务器上执行?怎么样?

I am issuing an ajax request to localhost:8080 - GAE server while my page is loaded from node server. What is the easiest, and safest ( Don't want to start chrome with disable-web-security option). If I have to change 'Content-Type', should I do it at node server? How?

推荐答案

由于它们运行在不同的端口上，因此它们是不同的JavaScript origin.它们在同一台机器/主机名上没关系.

Since they are running on different ports, they are different JavaScript origin. It doesn't matter that they are on the same machine/hostname.

您需要在服务器(localhost:8080)上启用CORS.查看此网站: http://enable-cors.org/

You need to enable CORS on the server (localhost:8080). Check out this site: http://enable-cors.org/

您需要做的就是向服务器添加一个HTTP标头:

All you need to do is add an HTTP header to the server:

Access-Control-Allow-Origin: http://localhost:3000

或者，为简单起见:

Access-Control-Allow-Origin: *

如果您的服务器尝试设置Cookie并且您使用withCredentials = true

Thought don't use "*" if your server is trying to set cookie and you use withCredentials = true

响应凭据请求时，服务器必须指定域，并且不能使用通配符.

when responding to a credentialed request, server must specify a domain, and cannot use wild carding.

您可以在此处了解有关withCredentials的更多信息

You can read more about withCredentials here

这篇关于来源< origin>是Access-Control-Allow-Origin不允许的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！