Access-Control-Allow-Origin不允许使用origin http:// localhost
[英]Origin http://localhost is not allowed by Access-Control-Allow-Origin
问题描述
I'm trying to do a fetch from backbone.js to my node.js server. 
我正在尝试从backbone.js获取到我的node.js服务器。 However, I get the following error in the console: 但是,我在控制台中收到以下错误:
Origin http://localhost is not allowed by Access-Control-Allow-Origin.
I added the following to my node.js server: 我将以下内容添加到node.js服务器:
var allowCrossDomain = function(req, res, next) {
res.header('Access-Control-Allow-Origin', "http://localhost");
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header('Access-Control-Allow-Headers', 'Content-Type');
};
app.configure(function() {
app.use(allowCrossDomain);
});
But it's still returning the same error. 但它仍然返回相同的错误。 However, even if this did work, it doesn't seem like the ideal solution, as I would like users from all over to be able to send requests. 但是,即使这确实有效,它似乎也不是理想的解决方案,因为我希望来自各地的用户能够发送请求。
5 个解决方案
解决方案1
12 已采纳 2013-04-16 20:46:57
If you want everyone to be able to access the Node app, then try using 如果您希望每个人都能够访问Node应用程序,请尝试使用
res.header('Access-Control-Allow-Origin', "*")
That will allow requests from any origin. 这将允许来自任何来源的请求。 The CORS enable site has a lot of information on the different Access-Control-Allow headers and how to use them. CORS启用站点有很多关于不同的Access-Control-Allow标头以及如何使用它们的信息。
I you are using Chrome, please look at this bug bug regarding localhost and Access-Control-Allow-Origin. 您使用的是Chrome我,请看看这个关于本地主机和访问控制允许来源错误的bug。 There is another StackOverflow question here that details the issue. 这里有另一个StackOverflow问题详细说明了这个问题。
解决方案2
0 2013-04-16 20:42:44
If you are making the fetch call to your localhost which I'm guessing is run by node.js in the same directory as your backbone code, than it will most likely be on http://localhost:3000 or something like that. 如果您正在对您的localhost进行fetch调用,我猜测它是由与主干代码相同的目录中的node.js运行,而不是很可能是在http://localhost:3000或类似的东西上。 Than this should be your model: 比这应该是你的模型:
var model = Backbone.Model.extend({
url: '/item'
});
And in your node.js you now have to accept that call like this: 在你的node.js中,你现在必须接受这样的调用:
app.get('/item', function(req, res){
res.send('some info here');
});
解决方案3
0 2013-07-13 08:53:38
There are 2 calls that need to set the correct headers. 有2个调用需要设置正确的标头。 Initially there is a preflight check so you need something like... 最初有一个预检检查,所以你需要像...
app.get('/item', item.list);
app.options('/item', item.preflight);
and then have the following functions... 然后有以下功能......
exports.list = function (req, res) {
Items.allItems(function (err, items) {
...
res.header('Access-Control-Allow-Origin', "*"); // TODO - Make this more secure!!
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST');
res.header('Access-Control-Allow-Headers', 'Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept');
res.send(items);
}
);
};
and for the pre-flight checks 以及飞行前检查
exports.preflight = function (req, res) {
Items.allItems(function (err, items) {
res.header('Access-Control-Allow-Origin', "*"); // TODO - Make this more secure!!
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST');
res.header('Access-Control-Allow-Headers', 'Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept');
res.send(200);
}
);
};
You can consolidate the res.header() code into a single function if you want. 如果需要,可以将res.header()代码合并为单个函数。
Also as stated above, be careful of using res.header('Access-Control-Allow-Origin', "*") this means anyone can access your site! 同样如上所述,小心使用res.header('Access-Control-Allow-Origin',“*”)这意味着任何人都可以访问您的网站!
解决方案4
0 2014-08-22 15:14:18
By localhost you have to use the null origin. 通过localhost,您必须使用null原点。 I recommend you to create a list of allowed hosts and check the request's Host header. 我建议您创建一个允许的主机列表,并检查请求的Host头。 If it is contained by the list, then by localhost send back an 如果它包含在列表中,那么由localhost发回一个
res.header('Access-Control-Allow-Origin', "null");
by any other domain an 任何其他域名
res.header('Access-Control-Allow-Origin', hostSentByTheRequestHeader);
If it is not contained by the list, then send back the servers host name, so the browser will hide the response by those requests. 如果列表中未包含它,则发回服务器主机名,因此浏览器将隐藏这些请求的响应。
This is much more secure, because by allow origin * and allow credentials everybody will be capable of for example stealing profile data of a logged in user, etc... 这样更加安全,因为通过允许origin *并允许凭证,每个人都能够窃取登录用户的个人资料数据等...
So to summarize something like this: 所以总结一下这样的事情:
if (reqHost in allowedHosts)
if (reqHost == "http://localhost")
res.header('Access-Control-Allow-Origin', "null");
else
res.header('Access-Control-Allow-Origin', reqHost);
else
res.header('Access-Control-Allow-Origin', serverHost);
is the most secure solution if you want to allow multiple other domains to access your page. 如果您想允许多个其他域访问您的页面,则是最安全的解决方案。 (I guess you can figure out how the get the host request header and the server host by node.js.) (我想你可以弄清楚如何通过node.js获取主机请求头和服务器主机)
解决方案5
0 2017-12-07 08:15:29
This approach resolved my issue to allow multiple domain 这种方法解决了我的问题,允许多个域
app.use(function(req, res, next) {
var allowedOrigins = ['http://127.0.0.1:8020', 'http://localhost:8020', 'http://127.0.0.1:9000', 'http://localhost:9000'];
var origin = req.headers.origin;
if(allowedOrigins.indexOf(origin) > -1){
res.setHeader('Access-Control-Allow-Origin', origin);
}
//res.header('Access-Control-Allow-Origin', 'http://127.0.0.1:8020');
res.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
res.header('Access-Control-Allow-Credentials', true);
return next();
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.