使用凭证进行跨域资源共享 [英] Cross Origin Resource Sharing with Credentials
问题描述
我有一个跨多个子域(example.com、blog.example.com 和 app.example.com)的通用身份验证表单.登录表单必须将此数据提交给 example.com,无论它显示在哪里,所以我想到了使用 CORS,但是这样:
I have a common authentication form across multiple subdomains (example.com, blog.example.com, and app.example.com). The login form must submit this data to example.com irrespective of where it is shown, so I thought of using CORS, but this:
header("Access-Control-Allow-Origin: http://example.com http://blog.example.com http://app.example.com")
所以我想做下一件事,在服务器端手动检查 Origin 标头,并允许 Access-Control-Allow-Origin: * 以便可以发出请求,但不幸的是,这出现在在MDN中
So I thought of doing the next thing, and checking the Origin header manually on server side, and allowing a Access-Control-Allow-Origin: * so that requests might be made, but unfortunately, this crops up in the MDN
重要提示:在响应凭据请求时,服务器必须指定域,并且不能使用通配符.
Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding.
有什么方法可以让我的请求跨多个域工作,并且仍然使用 CORS 发送凭据?
Is there any way to make my request work across multiple domains, and still send credentials using CORS ?
推荐答案
两个想法:
1) 您是否还包括Access-Control-Allow-Credentials: true"标头?这是传递 cookie 凭据所必需的(并且相应的 XHR 客户端必须设置 .withCredentials = true)
1) are you also including the "Access-Control-Allow-Credentials: true" header? This is needed for passing cookie credentials (and the corresponding XHR client must set .withCredentials = true)
2) 您是否尝试过链接中的建议,并且仅包含当前请求的来源.例如,如果请求带有标头Origin: http://blog.example.com",您会回复Access-Control-Allow-Origin: http://blog.example.com",并且不是原产地清单.这需要在您的服务器端实现上做更多的工作.
2) Have you tried the suggestion from your link and only include the origin for the current request. For example, if a request comes in with the header "Origin: http://blog.example.com", you would respond with "Access-Control-Allow-Origin: http://blog.example.com", and not a list of origins. This requires a little more work on your server side implementation.
3) 另一种想法是,您提到您有一个必须由各个域共享的登录表单.好吧,如果它是一个标准的 HTML 表单,您可以跨域进行常规的表单发布.您不需要使用 CORS.只需将表单的action"属性设置为您希望发布到的 url.例如:
3) One other thought, you mention that you have a single login form that must be shared by various domains. Well, if it is a standard HTML form, you can do a regular form-post across domains. You don't need to use CORS. Just set the "action" property of the form to the url you wish to post to. For example:
<form name="login" action="http://login.example.com/doLogin">
这篇关于使用凭证进行跨域资源共享的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
