起源<起源>Access-Control-Allow-Origin 不允许 [英] Origin <origin> is not allowed by Access-Control-Allow-Origin

问题描述

XMLHttpRequest cannot load http://localhost:8080/api/test. Origin http://localhost:3000 is not allowed by Access-Control-Allow-Origin. 

我阅读了有关跨域 ajax 请求的内容，并了解了潜在的安全问题.就我而言，有 2 台服务器在本地运行，并且希望在测试期间启用跨域请求.

I read about cross domain ajax requests, and understand the underlying security issue. In my case, 2 servers are running locally, and like to enable cross domain requests during testing.

localhost:8080 - Google Appengine dev server
localhost:3000 - Node.js server

当我的页面从节点服务器加载时，我正在向 localhost:8080 - GAE 服务器 发出 ajax 请求.什么是最简单、最安全的(不想用 disable-web-security 选项启动 chrome).如果我必须更改 'Content-Type'，我应该在节点服务器上做吗?怎么样?

I am issuing an ajax request to localhost:8080 - GAE server while my page is loaded from node server. What is the easiest, and safest ( Don't want to start chrome with disable-web-security option). If I have to change 'Content-Type', should I do it at node server? How?

推荐答案

由于它们运行在不同的端口上，因此它们是不同的 JavaScript origin.它们在同一台机器/主机名上并不重要.

Since they are running on different ports, they are different JavaScript origin. It doesn't matter that they are on the same machine/hostname.

您需要在服务器 (localhost:8080) 上启用 CORS.查看此站点:http://enable-cors.org/

You need to enable CORS on the server (localhost:8080). Check out this site: http://enable-cors.org/

您需要做的就是向服务器添加一个 HTTP 标头:

All you need to do is add an HTTP header to the server:

Access-Control-Allow-Origin: http://localhost:3000

或者，为简单起见:

Access-Control-Allow-Origin: *

如果您的服务器尝试设置 cookie 并且您使用 withCredentials = true

Thought don't use "*" if your server is trying to set cookie and you use withCredentials = true

响应认证请求时，服务器必须指定域，不能使用通配符.

when responding to a credentialed request, server must specify a domain, and cannot use wild carding.

您可以在此处阅读有关 withCredentials 的更多信息

这篇关于起源<起源>Access-Control-Allow-Origin 不允许的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！