跨源资源共享与凭据 [英] Cross Origin Resource Sharing with Credentials
问题描述
我有多个子网域(example.com,blog.example.com和app.example.com)的通用验证表单。登录表单必须将这些数据提交给example.com,而不考虑它在哪里显示,所以我想到使用CORS,但是:
I have a common authentication form across multiple subdomains (example.com, blog.example.com, and app.example.com). The login form must submit this data to example.com irrespective of where it is shown, so I thought of using CORS, but this:
header("Access-Control-Allow-Origin: http://example.com http://blog.example.com http://app.example.com")
所以我想到了做下一件事,并在服务器端手动检查Origin头,并允许 Access-Control-Allow-Origin:*
,因此可能会发出请求,但不幸的是,这会导致 in the MDN
So I thought of doing the next thing, and checking the Origin header manually on server side, and allowing a Access-Control-Allow-Origin: *
so that requests might be made, but unfortunately, this crops up in the MDN
重要注意事项:在回应凭证要求时,伺服器必须指定网域,通用梳理。
Important note: when responding to a credentialed request, server must specify a domain, and cannot use wild carding.
有没有办法让我的请求在多个域中工作,仍然使用CORS发送凭据?
Is there any way to make my request work across multiple domains, and still send credentials using CORS ?
推荐答案
两个想法:
1)您还包括Access-凭证:true标题?这是需要传递cookie凭据(和相应的XHR客户端必须设置.withCredentials = true)
1) are you also including the "Access-Control-Allow-Credentials: true" header? This is needed for passing cookie credentials (and the corresponding XHR client must set .withCredentials = true)
2)您是否尝试过从您的链接的建议,为当前请求。例如,如果请求包含标题Origin: http://blog.example.com ,则您会回复 Access-Control-Allow-Origin: http://blog.example.com ,而不是起点列表。这需要在您的服务器端实现上多做一些工作。
2) Have you tried the suggestion from your link and only include the origin for the current request. For example, if a request comes in with the header "Origin: http://blog.example.com", you would respond with "Access-Control-Allow-Origin: http://blog.example.com", and not a list of origins. This requires a little more work on your server side implementation.
3)另一个想法,你提到你有一个登录表单,必须由不同的域共享。好吧,如果它是一个标准的HTML表单,你可以做一个常规表单过帐的域。您不需要使用CORS。只需将表单的action属性设置为您要发布到的网址即可。例如:
3) One other thought, you mention that you have a single login form that must be shared by various domains. Well, if it is a standard HTML form, you can do a regular form-post across domains. You don't need to use CORS. Just set the "action" property of the form to the url you wish to post to. For example:
<form name="login" action="http://login.example.com/doLogin">
这篇关于跨源资源共享与凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!