[英]Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
My application do some REST request in a java web application.我的应用程序在 Java Web 应用程序中执行一些 REST 请求。 the requests are CORS requests so the browser do every time an OPTION preflight before the real one.
请求是 CORS 请求,因此浏览器每次在真正的 OPTION 预检之前都会执行。 Each request are similar to
每个请求都类似于
Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9, / ;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Access-Control-Request-Method: GET Access-Control-Request-Headers: iv-groups,iv-user,x-xsrf-token Origin: http://localhost:4200 Connection: keep-alive Cache-Control: max-age=0
主机: localhost:8080 用户代理: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9 , / ;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Access-Control-Request-Method: GET Access -Control-Request-Headers:iv-groups,iv-user,x-xsrf-token 来源: http://localhost:4200连接:keep-alive Cache-Control:max-age=0
The java application response is: Java 应用程序响应是:
HTTP/1.1 200 Set-Cookie: JSESSIONID=70A5ED7E8D32DCEE55991D3945994AB0;
HTTP/1.1 200 Set-Cookie:JSESSIONID=70A5ED7E8D32DCEE55991D3945994AB0; Path=/blablab;
路径=/blablab; HttpOnly Set-Cookie: XSRF-TOKEN=35ad4230-b664-400c-84c0-7d06877bf05d;
HttpOnly Set-Cookie:XSRF-TOKEN=35ad4230-b664-400c-84c0-7d06877bf05d; Path=/ Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Access-Control-Allow-Origin: http://localhost:4200 Access-Control-Allow-Methods: GET,POST,PUT,DELETE,HEAD,OPTIONS Access-Control-Allow-Headers: iv-groups, iv-user, x-xsrf-token Access-Control-Allow-Credentials: true Access-Control-Max-Age: 1800 Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH X-Content-Type-Options: nosniff X-XSS-Protection: 1;
路径=/ 变化:来源变化:访问控制请求方法变化:访问控制请求头访问控制允许来源: http://localhost:4200访问控制允许方法:GET、POST ,PUT,DELETE,HEAD,OPTIONS Access-Control-Allow-Headers: iv-groups, iv-user, x-xsrf-token Access-Control-Allow-Credentials: true Access-Control-Max-Age: 1800 Allow: GET , HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Length: 0 Date: Thu, 22 Nov 2018 08:31:18 GMT
mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Length: 0 日期:11 月 22 日星期四2018 年 08:31:18 格林威治标准时间
For firefox this response is an CORS violation on the console it writes Credential is not supported if the CORS header Access-Control-Allow-Origin
is *
.对于 firefox,如果 CORS 标头
Access-Control-Allow-Origin
是*
此响应是控制台上的 CORS 违规,它写入 Credential is not supported。
For google chrome the request is ok and the content is showed.对于谷歌浏览器,请求没问题,内容显示。
That happens if you are using withCredentials in your client side request.如果您在客户端请求中使用withCredentials ,就会发生这种情况。 In that case you can modify the server side to check allowed referers and send the correct url in the Access-Control-Allow-Origin header.
在这种情况下,您可以修改服务器端以检查允许的引用并在 Access-Control-Allow-Origin 标头中发送正确的 url。 If you do not use credentials * is accepted.
如果您不使用凭据 * 被接受。
Some more information can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials可以在此处找到更多信息: https : //developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
For everyone coming here searching for this issue:对于来到这里寻找此问题的每个人:
I had an extension installed ( CORS Unblock ) which had overwritten the headers.我安装了一个扩展( CORS Unblock ),它覆盖了标题。 Turning that off or uninstalling it removed the problem.
关闭它或卸载它消除了问题。
This config worked for me.这个配置对我有用。 Pay attention in client side
withCredentials: true
在客户端注意
withCredentials: true
Client side config:客户端配置:
config = {
url:'http://somedomain',
method:'post',
withCredentials: true,
data:{myfield:"myvalue"}
};
axios.request(config);
Server side config:服务器端配置:
Access-Control-Allow-Credentials true
Access-Control-Allow-Headers X-PINGOTHER, Content-Type
Access-Control-Allow-Methods GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
Access-Control-Allow-Origin: http://localhost:4200 // WILD CARD WILL NOT WORK WHEN POSTING
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.