Cors-关于当前主机网址，此set-cookie域属性无效 [英] Cors - This set-cookie domain attribute was invalid with regards to the current host url

问题描述

我有一个节点后端，该节点应允许运行在localhost:3000上的前端应用程序发出跨源请求.因此，我将cors政策限制在我的域内.

I have a node backend, which should allow cross origin request from my frontend application that is running on localhost:3000. Therefore I've restricted the cors policy to my domain.

import csrf from 'csurf';

app.use(
  cors({
    origin: 'http://localhost:3000',
    credentials: true
  })
);

const csrfProtection = csrf({
  cookie: {
    maxAge: 900,
    domain: 'http://localhost:3000'
  }
})

router.get('/csrfToken', csrfProtection, async (req, res, next) => {
  res.json({ token: req.csrfToken() });
});

当我现在向服务器端点(在localhost:5000上运行)发出请求时，它向我返回以下错误，提示无法设置cookie.

When I'm making now a request to my server endpoint (which is running on localhost:5000), it returns me the following error that the cookie cannot be set.

  fetch('http://localhost:5000/csrfToken', {
      method: 'GET',
      credentials: 'include'
 })

推荐答案

这与CORS无关.这就是cookie的工作方式.

This has nothing to do with CORS. It is just how cookies work.

set-cookie 标头中的域为 http://localhost:3000 ，但请求是针对 http://localhost:5000 .

The domain in the set-cookie header says http://localhost:3000 but the request is for http://localhost:5000.

这是一个不同的来源，无效的cookie也是如此.

That is a different origin and so is an invalid cookie.

一个来源的 set-cookie 标头不可能为其他来源设置cookie. http://localhost:5000 只能为 http://localhost:5000 设置cookie.

It is impossible for a set-cookie header from one origin to set a cookie for a different origin. http://localhost:5000 can only set cookies for http://localhost:5000.

如果您真的想为:3000 设置cookie，则一种解决方法是通过cookie以外的其他格式(例如，在请求正文中)提供数据，然后使用 http://localhost:3000 上的客户端JS使用 document.cookie API .

If you really want to set a cookie for :3000 then a work-around would be to provide the data through some other format than a cookie (e.g. in the request body) and then have the client-side JS on http://localhost:3000 set the cookie using the document.cookie API.

如果您想为:5000 设置cookie(这似乎更有可能)，则在 set-cookie 标头中获取端口号.

If you want to set the cookie for :5000 (which seems more likely), then get the port number right in the set-cookie header.

const csrfProtection = csrf({
  cookie: {
    maxAge: 900,
    domain: 'http://localhost:5000'
  }
})

这篇关于Cors-关于当前主机网址，此set-cookie域属性无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！