如果 CORS 标头“Access-Control-Allow-Origin”为“*”,则不支持凭据
[英]Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
问题描述
My application do some REST request in a java web application.
我的应用程序在 Java Web 应用程序中执行一些 REST 请求。 the requests are CORS requests so the browser do every time an OPTION preflight before the real one.请求是 CORS 请求,因此浏览器每次在真正的 OPTION 预检之前都会执行。 Each request are similar to每个请求都类似于
Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9, / ;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Access-Control-Request-Method: GET Access-Control-Request-Headers: iv-groups,iv-user,x-xsrf-token Origin: http://localhost:4200 Connection: keep-alive Cache-Control: max-age=0
The java application response is: Java 应用程序响应是:
HTTP/1.1 200 Set-Cookie: JSESSIONID=70A5ED7E8D32DCEE55991D3945994AB0;
For firefox this response is an CORS violation on the console it writes Credential is not supported if the CORS header Access-Control-Allow-Origin is * .对于 firefox,如果 CORS 标头Access-Control-Allow-Origin是*此响应是控制台上的 CORS 违规,它写入 Credential is not supported。
For google chrome the request is ok and the content is showed.对于谷歌浏览器,请求没问题,内容显示。
3 个解决方案
解决方案1
3 2018-11-22 11:02:58
That happens if you are using withCredentials in your client side request.如果您在客户端请求中使用withCredentials ,就会发生这种情况。 In that case you can modify the server side to check allowed referers and send the correct url in the Access-Control-Allow-Origin header.在这种情况下,您可以修改服务器端以检查允许的引用并在 Access-Control-Allow-Origin 标头中发送正确的 url。 If you do not use credentials * is accepted.如果您不使用凭据 * 被接受。
Some more information can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials可以在此处找到更多信息: https : //developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
解决方案2
0 2020-03-05 14:27:31
For everyone coming here searching for this issue:对于来到这里寻找此问题的每个人:
I had an extension installed ( CORS Unblock ) which had overwritten the headers.我安装了一个扩展( CORS Unblock ),它覆盖了标题。 Turning that off or uninstalling it removed the problem.关闭它或卸载它消除了问题。
解决方案3
-1 2020-04-12 09:21:54
This config worked for me.这个配置对我有用。 Pay attention in client side withCredentials: true在客户端注意withCredentials: true
Client side config:客户端配置:
config = {
url:'http://somedomain',
method:'post',
withCredentials: true,
data:{myfield:"myvalue"}
};
axios.request(config);
Server side config:服务器端配置:
Access-Control-Allow-Credentials true
Access-Control-Allow-Headers X-PINGOTHER, Content-Type
Access-Control-Allow-Methods GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
Access-Control-Allow-Origin: http://localhost:4200 // WILD CARD WILL NOT WORK WHEN POSTING
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.