[英]The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'
My application is working fine in IE browser, But it's not working in Chrome browser due to CORS
issue. 我的应用程序在IE浏览器中运行良好, 但由于CORS
问题 , 它无法在Chrome浏览器中运行。
The issue is 问题是
Failed to load http://localhost:52487/api/Authentication/ : The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. 无法加载http:// localhost:52487 / api / Authentication / :当请求的凭据模式为“include”时,响应中的“Access-Control-Allow-Origin”标头的值不能是通配符“*” 。 Origin ' http://localhost:4200 ' is therefore not allowed access. 因此不允许来源' http:// localhost:4200 '访问。 The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute. XMLHttpRequest发起的请求的凭据模式由withCredentials属性控制。
I am using angular 2 in front-end and using Asp.net core 1.0 in back-end. 我在前端使用angular 2并在后端使用Asp.net core 1.0。 I have tried 我试过了
This is my startup code 这是我的启动代码
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("AllowAll", p =>
{
p.AllowAnyOrigin()
.AllowAnyHeader()
.AllowAnyMethod();
});
});
// Add framework services.
services.AddMvc();
// Add functionality to inject IOptions<T>
services.AddOptions();
// Add our Config object so it can be injected
services.Configure<Data>(Configuration.GetSection("Data"));
services.Configure<COCSettings>(Configuration.GetSection("COCSettings"));
services.Configure<EmailSettings>(Configuration.GetSection("EmailSettings"));
AppSettings.ConnectionString = Configuration["Data:DefaultConnectionString"];
// *If* you need access to generic IConfiguration this is **required**
services.AddSingleton<IConfiguration>(Configuration);
// Injecting repopsitories with interface
AddServices(services);
// Add Json options
services.AddMvc().AddJsonOptions(options => options.SerializerSettings.ContractResolver = new DefaultContractResolver());
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseMiddleware(typeof(ErrorHandling));
app.UseMiddleware(typeof(GetNoCache));
app.UseCors("AllowAll");
app.UseMvc();
}
this is how I am calling the API from UI(angular) side 这就是我从UI(角度)方面调用API的方式
constructor(private http: Http) {
this.headers = new Headers();
this.headers.append('Accept', 'application/json');
}
GetMaintainCOC(FYONId) {
return this.http.get(this.apiUrl + 'GetCertificationofConformity?FYONId=' + FYONId, { withCredentials: true })
.map(responce => <any>responce.json())
.catch(error => {
return Observable.throw(error);
});
}
It is working, when I am calling AllowCredentials()
inside of AddPolicy
这是工作,当我打电话AllowCredentials()
内AddPolicy
services.AddCors(options =>
{
options.AddPolicy("AllowAll", p =>
{
p.AllowAnyOrigin()
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials();
});
});
I got this key of idea from Access-Control-Allow-Origin: "*" not allowed when credentials flag is true, but there is no Access-Control-Allow-Credentials header 我从Access-Control-Allow-Origin获得了这个想法的关键:当credentials标志为true时,不允许使用“*”,但是没有Access-Control-Allow-Credentials标头
I am using
{ withCredentials: true }
in angularhttp
service call. 我在角度http
服务调用中使用{ withCredentials: true }
。 So I guess I should useAllowCredentials()
policy inCORS
service. 所以我想我应该在CORS
服务中使用AllowCredentials()
策略。
Well you appear to have it solved, but here's the simple answer. 好吧,你似乎已经解决了,但这是简单的答案。
If you set the withCredentials
flag in the request definition, cookies etc. will be passed in the request. 如果在请求定义中设置withCredentials
标志,则会在请求中传递cookie等。 Otherwise they won't be passed. 否则他们将不会通过。
If your server returns any Set-Cookie
response headers, then you must also return the Access-Control-Allow-Credentials: true
response header, otherwise the cookies will not be created on the client. 如果您的服务器返回任何Set-Cookie
响应头,那么您还必须返回Access-Control-Allow-Credentials: true
响应头,否则将不会在客户端上创建 cookie。 And if you're doing that, you need to also specify the EXACT origin in the Access-Control-Allow-Origin
response header, since Access-Control-Allow-Origin: *
is not compatible with credentials. 如果你这样做,你还需要指定的确切来源Access-Control-Allow-Origin
响应头,因为Access-Control-Allow-Origin: *
是不兼容的凭据。
So do this: 这样做:
Access-Control-Allow-Origin: <value-of-Origin-request-header>
response header 传递Access-Control-Allow-Origin: <value-of-Origin-request-header>
响应头 Access-Control-Allow-Credentials: true
response header 传递Access-Control-Allow-Credentials: true
响应头
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.