当请求的凭据模式为“include”时,响应中的“Access-Control-Allow-Origin”标头的值不能是通配符“*”
[英]The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'
问题描述
My application is working fine in IE browser, But it's not working in Chrome browser due to CORS issue. 
我的应用程序在IE浏览器中运行良好, 但由于CORS问题 , 它无法在Chrome浏览器中运行。
The issue is 问题是
Failed to load http://localhost:52487/api/Authentication/ : The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
I am using angular 2 in front-end and using Asp.net core 1.0 in back-end. 我在前端使用angular 2并在后端使用Asp.net core 1.0。 I have tried 我试过了
This is my startup code 这是我的启动代码
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("AllowAll", p =>
{
p.AllowAnyOrigin()
.AllowAnyHeader()
.AllowAnyMethod();
});
});
// Add framework services.
services.AddMvc();
// Add functionality to inject IOptions<T>
services.AddOptions();
// Add our Config object so it can be injected
services.Configure<Data>(Configuration.GetSection("Data"));
services.Configure<COCSettings>(Configuration.GetSection("COCSettings"));
services.Configure<EmailSettings>(Configuration.GetSection("EmailSettings"));
AppSettings.ConnectionString = Configuration["Data:DefaultConnectionString"];
// *If* you need access to generic IConfiguration this is **required**
services.AddSingleton<IConfiguration>(Configuration);
// Injecting repopsitories with interface
AddServices(services);
// Add Json options
services.AddMvc().AddJsonOptions(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver());
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseMiddleware(typeof(ErrorHandling));
app.UseMiddleware(typeof(GetNoCache));
app.UseCors("AllowAll");
app.UseMvc();
}
this is how I am calling the API from UI(angular) side 这就是我从UI(角度)方面调用API的方式
constructor(private http: Http) {
this.headers = new Headers();
this.headers.append('Accept', 'application/json');
}
GetMaintainCOC(FYONId) {
return this.http.get(this.apiUrl + 'GetCertificationofConformity?FYONId=' + FYONId, { withCredentials: true })
.map(responce => <any>responce.json())
.catch(error => {
return Observable.throw(error);
});
}
2 个解决方案
解决方案1
6 已采纳 2018-02-19 07:39:16
It is working, when I am calling AllowCredentials() inside of AddPolicy 这是工作,当我打电话AllowCredentials()内AddPolicy
services.AddCors(options =>
{
options.AddPolicy("AllowAll", p =>
{
p.AllowAnyOrigin()
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials();
});
});
I got this key of idea from Access-Control-Allow-Origin: "*" not allowed when credentials flag is true, but there is no Access-Control-Allow-Credentials header 我从Access-Control-Allow-Origin获得了这个想法的关键:当credentials标志为true时,不允许使用“*”,但是没有Access-Control-Allow-Credentials标头
What I understood 我的理解
I am using
{ withCredentials: true }in angularhttpservice call.http服务调用中使用{ withCredentials: true }。 So I guess I should useAllowCredentials()policy inCORSservice.CORS服务中使用AllowCredentials()策略。
解决方案2
1 2018-02-20 21:10:31
Well you appear to have it solved, but here's the simple answer. 好吧,你似乎已经解决了,但这是简单的答案。
If you set the withCredentials flag in the request definition, cookies etc. will be passed in the request. 如果在请求定义中设置withCredentials标志,则会在请求中传递cookie等。 Otherwise they won't be passed. 否则他们将不会通过。
If your server returns any Set-Cookie response headers, then you must also return the Access-Control-Allow-Credentials: true response header, otherwise the cookies will not be created on the client. 如果您的服务器返回任何Set-Cookie响应头,那么您还必须返回Access-Control-Allow-Credentials: true响应头,否则将不会在客户端上创建 cookie。 And if you're doing that, you need to also specify the EXACT origin in the Access-Control-Allow-Origin response header, since Access-Control-Allow-Origin: * is not compatible with credentials. 如果你这样做,你还需要指定的确切来源Access-Control-Allow-Origin响应头,因为Access-Control-Allow-Origin: *是不兼容的凭据。
So do this: 这样做:
- Pass withCredentials in request 在请求中传递withCredentials
- Pass
Access-Control-Allow-Origin: <value-of-Origin-request-header>response header传递Access-Control-Allow-Origin: <value-of-Origin-request-header>响应头 - Pass
Access-Control-Allow-Credentials: trueresponse header传递Access-Control-Allow-Credentials: true响应头
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.