访问控制允许来源:“*"当凭证标志为真时不允许,但没有 Access-Control-Allow-Credentials 标头 [英] Access-Control-Allow-Origin: "*" not allowed when credentials flag is true, but there is no Access-Control-Allow-Credentials header
问题描述
突然间,似乎没有更改我的网络应用程序中的任何内容,我在 Chrome 中打开它时开始收到 CORS 错误.我尝试添加 Access-Control-Allow-Origin: *
标头.然后我得到这个错误:
Suddenly, seemingly without changing anything in my web app, I started getting CORS errors when opening it in Chrome. I tried adding an Access-Control-Allow-Origin: *
header. Then I get this error:
<代码>XMLHttpRequest 无法加载 http://localhost:9091/sockjs-node/info?t= 1449187563637.当凭证标志为真时,不能在Access-Control-Allow-Origin"标头中使用通配符*".因此,不允许访问 Origin 'http://localhost:3010'.
但如下图所示,没有 Access-Control-Allow-Credentials
标头.
But as you can see in the following image, there is no Access-Control-Allow-Credentials
header.
WTF?Chrome 错误?
WTF? Chrome bug?
我的页面在 http://localhost:3010
加载,该服务器也使用 Access-Control-Allow-Origin: *
没有问题.如果两个端点都使用它会不会有问题?
My page is loaded at http://localhost:3010
and that server also uses Access-Control-Allow-Origin: *
without problems. Is there a problem if the two endpoints both use it?
推荐答案
"credentials flag" 指的是请求的XMLHttpRequest.withCredentials
,而不是一个Access-Control-Allow-Credentials
标头.这是我困惑的根源.
"credentials flag" refers to XMLHttpRequest.withCredentials
of the request being made, not to an Access-Control-Allow-Credentials
header. That was the source of my confusion.
如果请求的withCredentials
为true
,则Access-Control-Allow-Origin: *
不能使用,即使有没有 Access-Control-Allow-Credentials
标头.
If the request's withCredentials
is true
, Access-Control-Allow-Origin: *
can't be used, even if there is no Access-Control-Allow-Credentials
header.
这篇关于访问控制允许来源:“*"当凭证标志为真时不允许,但没有 Access-Control-Allow-Credentials 标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!