CouchDB +凭证+原始通配符的CORS问题 [英] CORS issue with CouchDB + credentials + origin wildcard
问题描述
我正试图在Cloud.ch上从Cloudant转移到Jelastic。当我在本地测试时,我在使用pouchdb时遇到了CORS错误(离子服务)。
除了CouchDB之外,Jelastic还有其他任何配置吗?
XMLHttpRequest无法加载
通过CURL进行正常访问。从Cloudant到Jelastic的复制工作也很顺利。
我尝试使用Chrome扩展程序启用Allow-Control-Allow-Origin:*
解决方案
您无法同时设置
originins = *和credentials = true选项
所以这似乎意味着如果你想要带有凭据的跨域请求来使用couchdb,你必须设置
起源显示允许来源的明确列表的值;例如:[cors]
origins = http:// localhost,https:// localhost,http: //couch.mydev.name:8080
顺便说一句,似乎这应该作为couchdb提出。当设置
credentials = true时,couchdb不应该支持允许来自所有来源的请求。
许多/大多数其他Web服务器系统支持在包含凭据时允许来自所有源的请求。它们处理它的方式是只取
Origin请求标头的值,基本上只是将它回显到Access-的值 - Control-Allow-Origin响应头。
实现这样做的服务器代码是微不足道的。
但是,如果没有实际纠正这个缺陷,那么当你尝试设置
origin = * +credentials = true。
因为事情是,那句话你不能设置
originins = *和credentials = true选项在文档中的不是真的。很明显,可以同时设置两者(正如您的配置屏幕捕获证明) - 只是系统不会发出任何明显的警告/错误来告诉您发送凭据的任何客户端请求如果你设置了这样的couchdb,它将会失败。I am trying to move from Cloudant to Jelastic on flow.ch. I am getting CORS errors with pouchdb when testing locally (ionic serve).
Is there any other configuration in Jelastic besides CouchDB I am missing?
XMLHttpRequest cannot load http://xxx.flow.ch/xxx. Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:8100' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
I configured a CouchDB on Jelastic and activated CORS.
Normal access via CURL works. Replication from Cloudant to Jelastic worked as well.
I tried to use a Chrome extension to enable "Allow-Control-Allow-Origin: *"
解决方案The couchdb docs unfortunately say this:
You can’t set
origins = *andcredentials = trueoption at the same timeSo that would seem to imply that if you want cross-origin requests with credentials to work with couchdb, you must set the
originsvalue to an explicit list of allowed origins; for example:[cors] origins = http://localhost, https://localhost, http://couch.mydev.name:8080
Incidentally, it seems like this should be raised as an couchdb. There’s no good reason why couchdb shouldn’t support allowing requests from all origins when
credentials = trueis set.Many/most other Web server systems support allowing requests from all origins when credentials are included. The way they all handle it is to just take the value of the
Originrequest header, and essentially just echo it back to the value of theAccess-Control-Allow-Originresponse header.It is trivial to implement server code that does that.
But short of actually correcting that deficiency, the couchdb maintainers should at least fix their config-handling code to fail hard when you try to set both
origins = *+credentials = true.Because the thing is, that statement "You can’t set
origins = *andcredentials = trueoption at the same" in the docs isn’t true. Clearly you can set both at the same time (as your config screen capture proves)—it’s just that the system doesn’t emit any kind of obvious warning/error to tell you any client requests that send credentials are going to fail if you have couchdb set that way.这篇关于CouchDB +凭证+原始通配符的CORS问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
