角度:当凭据标记为true时,不能在'Access-Control-Allow-Origin'标头中使用通配符'*' [英] Angular: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true
问题描述
我知道已经有很多关于CORS的问题,但是它们似乎并没有回答我的问题.
I know there are a lot of questions concerning CORS already but they don't seem to answer my question.
因此,我有一个用Angular编写的客户端应用程序,它将用于创建移动应用程序(使用Apache Cordova). html文件和JavaScript文件将从移动设备加载.
当我进行模拟并将请求发送到REST API服务器时,我首先得到了
所请求的资源上没有'Access-Control-Allow-Origin'标头.因此,不允许对源'http://localhost:82'的访问".
所以我添加了header("Access-Control-Allow-Origin:*");在我的php REST API服务器中.我无法指定特定的域,因为请求将来自移动设备.
So I have a client app written in Angular which will be used to create a mobile app (with Apache Cordova). The html files and JavaScript files will be loaded from the mobile device.
When I simulate that and I send requests to the REST API server I first got
"No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:82' is therefore not allowed access".
So I added header("Access-Control-Allow-Origin: *"); in my php REST API Server. I cannot specify a specific domain as the requests will come from the mobile devices.
现在,我获得了当凭据标记为true时,'Access-Control-Allow-Origin'标头中不能使用通配符'*'."
Now I got to "A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true."
我终于找到了解决方案,但不确定将其保持这种状态是安全的.
I finally found a solution but I'm not sure it is safe to keep it like this.
在我的php REST API服务器中,我添加了以下内容:
In my php REST API Server I added this:
if (isset($_SERVER['HTTP_ORIGIN'])) {
header("Access-Control-Allow-Credentials: true");
header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']);
header("Access-Control-Allow-Headers: *, X-Requested-With, Content-Type");
header("Access-Control-Allow-Methods: GET, POST, DELETE, PUT");
}
请就这种工作方式提出建议.如果它不安全或根本没有好处,您能告诉我如何解决此问题吗?
Please advise on this way of working. If it is not secure or no good at all, can you please tell me how to solve this issue?
非常感谢!
推荐答案
响应仅在Access-Control-Allow-Headers中具有接受的标头,请勿使用通配符.
Response should only have the accepted headers in Access-Control-Allow-Headers, don't use wildcard.
为了安全起见,请在此有关CORS的帖子中注意@Jules的评论:
As far as it being safe, note the comment from @Jules in this post about CORS:
请注意,将HTTP Origin值作为允许的源发回 将允许任何人 使用Cookie向您发送请求,从而有可能窃取用户的会话 谁登录了您的网站,然后查看了攻击者的页面.您要么要发送"*" (这将禁止cookie,从而防止会话被窃取)或特定域 您希望该网站适合的网站.
Note that sending the HTTP Origin value back as the allowed origin will allow anyone to send requests to you with cookies, thus potentially stealing a session from a user who logged into your site then viewed an attacker's page. You either want to send '*' (which will disallow cookies thus preventing session stealing) or the specific domains for which you want the site to work.
另请参见以下示例:
Access-Control-Allow-Header中不接受通配符
指定标头Access-Control-Allow-Headers
替代方法
您可以将原始标头设置为:
You can just set the origin header to:
Access-Control-Allow-Origin: *
如果您不需要在请求中包含Cookie,请删除:
If you don't need to include cookies in your request remove:
Access-Control-Allow-Credentials: true
从Access-Control-Allow-Headers中删除通配符,然后添加Authorization,然后将该标头作为您的授权请求的一部分传递,而不是在cookie中传递凭据,例如:
Remove the wildcard from Access-Control-Allow-Headers and add Authorization and then pass that header as part of your request for authorization, instead of passing credentials in a cookie, ex:
Authorization: Basic a2lkMT==
此外,将OPTIONS添加到允许的方法中.
Also, add the OPTIONS to allowed methods.
这篇关于角度:当凭据标记为true时,不能在'Access-Control-Allow-Origin'标头中使用通配符'*'的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
