CORS:当凭据标志为真时，不能在 Access-Control-Allow-Origin 中使用通配符 [英] CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true

问题描述

我有一个设置涉及

前端服务器(Node.js，域:localhost:3000)<--->后端(Django，Ajax，域:localhost:8000)

Frontend server (Node.js, domain: localhost:3000) <---> Backend (Django, Ajax, domain: localhost:8000)

浏览器 <-- webapp <-- Node.js(服务应用程序)

Browser <-- webapp <-- Node.js (Serve the app)

浏览器(webapp) --> Ajax --> Django(服务ajax POST请求)

Browser (webapp) --> Ajax --> Django(Serve ajax POST requests)

现在，我的问题是 CORS 设置，Web 应用程序使用该设置对后端服务器进行 Ajax 调用.在 chrome 中，我不断得到

Now, my problem here is with CORS setup which the webapp uses to make Ajax calls to the backend server. In chrome, I keep getting

当凭据标志为真时，不能在 Access-Control-Allow-Origin 中使用通配符.

Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.

也不适用于 Firefox.

doesn't work on firefox either.

我的 Node.js 设置是:

My Node.js setup is:

var allowCrossDomain = function(req, res, next) {
    res.header('Access-Control-Allow-Origin', 'http://localhost:8000/');
    res.header('Access-Control-Allow-Credentials', true);
    res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
    res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
    next();
};

在 Django 中，我使用了这个中间件 连同这个

And in Django I'm using this middleware along with this

Web 应用程序发出这样的请求:

The webapp makes requests as such:

$.ajax({
    type: "POST",
    url: 'http://localhost:8000/blah',
    data: {},
    xhrFields: {
        withCredentials: true
    },
    crossDomain: true,
    dataType: 'json',
    success: successHandler
});

因此，Web 应用程序发送的请求标头如下所示:

So, the request headers that the webapp sends looks like:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept"
Access-Control-Allow-Methods: 'GET,PUT,POST,DELETE'
Content-Type: application/json 
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: csrftoken=***; sessionid="***"

这是响应头:

Access-Control-Allow-Headers: Content-Type,*
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,GET,OPTIONS,PUT,DELETE
Content-Type: application/json

我哪里出错了?！

编辑 1:我一直在使用 chrome --disable-web-security，但现在希望事情真正起作用.

Edit 1: I've been using chrome --disable-web-security, but now want things to actually work.

编辑 2:答案:

所以，我的解决方案 django-cors-headers 配置:

So, solution for me django-cors-headers config:

CORS_ORIGIN_ALLOW_ALL = False
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_WHITELIST = (
    'http://localhost:3000' # Here was the problem indeed and it has to be http://localhost:3000, not http://localhost:3000/
)

推荐答案

这是安全的一部分，你不能那样做.如果您想允许凭据，那么您的 Access-Control-Allow-Origin 不得使用 *.您必须指定确切的协议 + 域 + 端口.作为参考，请参阅这些问题:

This is a part of security, you cannot do that. If you want to allow credentials then your Access-Control-Allow-Origin must not use *. You will have to specify the exact protocol + domain + port. For reference see these questions :

1. Access-Control-Allow-Origin 通配符子域、端口和协议
2. 使用凭证的跨源资源共享

除此之外 * 过于宽松，会破坏凭据的使用.所以将 http://localhost:3000 或 http://localhost:8000 设置为允许源头.

Besides * is too permissive and would defeat use of credentials. So set http://localhost:3000 or http://localhost:8000 as the allow origin header.

这篇关于CORS:当凭据标志为真时，不能在 Access-Control-Allow-Origin 中使用通配符的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！