访问控制允许来源:“*"当凭证标志为真时不允许，但没有 Access-Control-Allow-Credentials 标头 [英] Access-Control-Allow-Origin: "*" not allowed when credentials flag is true, but there is no Access-Control-Allow-Credentials header

问题描述

突然间，似乎没有更改我的网络应用程序中的任何内容，我在 Chrome 中打开它时开始收到 CORS 错误.我尝试添加 Access-Control-Allow-Origin: * 标头.然后我得到这个错误:

Suddenly, seemingly without changing anything in my web app, I started getting CORS errors when opening it in Chrome. I tried adding an Access-Control-Allow-Origin: * header. Then I get this error:

<代码>XMLHttpRequest 无法加载 http://localhost:9091/sockjs-node/info?t= 1449187563637.当凭证标志为真时，不能在Access-Control-Allow-Origin"标头中使用通配符*".因此，不允许访问 Origin 'http://localhost:3010'.

但如下图所示，没有 Access-Control-Allow-Credentials 标头.

But as you can see in the following image, there is no Access-Control-Allow-Credentials header.

WTF?Chrome 错误?

WTF? Chrome bug?

我的页面在 http://localhost:3010 加载，该服务器也使用 Access-Control-Allow-Origin: * 没有问题.如果两个端点都使用它会不会有问题?

My page is loaded at http://localhost:3010 and that server also uses Access-Control-Allow-Origin: * without problems. Is there a problem if the two endpoints both use it?

推荐答案

"credentials flag" 指的是请求的XMLHttpRequest.withCredentials，而不是一个Access-Control-Allow-Credentials 标头.这是我困惑的根源.

"credentials flag" refers to XMLHttpRequest.withCredentials of the request being made, not to an Access-Control-Allow-Credentials header. That was the source of my confusion.

如果请求的withCredentials为true，则Access-Control-Allow-Origin: *不能使用，即使有没有 Access-Control-Allow-Credentials 标头.

If the request's withCredentials is true, Access-Control-Allow-Origin: * can't be used, even if there is no Access-Control-Allow-Credentials header.

这篇关于访问控制允许来源:“*"当凭证标志为真时不允许，但没有 Access-Control-Allow-Credentials 标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！