Access-Control-Allow-Origin:“*”在凭据标志为真时不允许,但没有Access-Control-Allow-Credentials头 [英] Access-Control-Allow-Origin: "*" not allowed when credentials flag is true, but there is no Access-Control-Allow-Credentials header
问题描述
突然,似乎没有更改我的网络应用程序的任何东西,我开始得到CORS错误,当它在Chrome中打开。我试图添加一个 Access-Control-Allow-Origin:* 头。然后我得到这个错误:
Suddenly, seemingly without changing anything in my web app, I started getting CORS errors when opening it in Chrome. I tried adding an Access-Control-Allow-Origin: * header. Then I get this error:
XMLHttpRequest不能加载http:// localhost:9091 / sockjs-node / info?t = 1449187563637.当凭证标志为真时,不能在Access-Control-Allow-Origin标头中使用通配符*。因此,不允许原始'http:// localhost:3010'访问。
但是如下图所示,没有 Access-Control-Allow -Credentials 。
But as you can see in the following image, there is no Access-Control-Allow-Credentials header.
WTF? Chrome错误?
WTF? Chrome bug?
我的网页载入 http:// localhost:3010 ,该伺服器也使用 Access-Control-Allow-Origin:* 没有问题。如果两个端点都使用它,是否有问题?
My page is loaded at http://localhost:3010 and that server also uses Access-Control-Allow-Origin: * without problems. Is there a problem if the two endpoints both use it?
推荐答案
凭证标志是指 XMLHttpRequest.withCredentials ,而不是 Access-Control-Allow-Credentials 标头。
"credentials flag" refers to XMLHttpRequest.withCredentials of the request being made, not to an Access-Control-Allow-Credentials header. That was the source of my confusion.
如果请求的 withCredentials 为 true Access-Control-Allow-Credentials Access-Control-Allow-Origin:* / code>头。
If the request's withCredentials is true, Access-Control-Allow-Origin: * can't be used, even if there is no Access-Control-Allow-Credentials header.
这篇关于Access-Control-Allow-Origin:“*”在凭据标志为真时不允许,但没有Access-Control-Allow-Credentials头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
