[英]withCredentials and wildcard * - 'Access-Control-Allow-Origin' header issue
I have an app in nodejs that will serve as a proxy to connecting to various social platforms.我在 nodejs 中有一个应用程序,它将作为连接到各种社交平台的代理。 The flow is like this:
流程是这样的:
Here is the issue, after sending AJAX request for step 3, CORS issue occurs.这是问题所在,在为第 3 步发送 AJAX 请求后,出现 CORS 问题。 This is the code:
这是代码:
jQuery.ajax({
url: "http://localhost:9057/facebook/gettoken",
type: 'GET',
dataType: "json",
xhrFields: {
// -->> In order to access the cookie, we have to have this set as true.
withCredentials: true
},
crossDomain: true,
success: function (res) {
console.log(res);
}
});
In my NodeJS app, I have cors set up as:在我的 NodeJS 应用程序中,我将 cors 设置为:
if (config.getOption('PORT')) {
const corsOptions = {
credentials: true
};
app.use(cors(corsOptions));
// -->> I cannot have * here here, withCredentials cannot be set to true and have *, see the error below
app.options('*', cors(corsOptions));
}
This is the error:这是错误:
Access to XMLHttpRequest at ' http://localhost:9057/facebook/gettoken ' from origin ' http://something.test:8080 ' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
从来源“ http://something.test:8080 ”访问位于“ http://localhost:9057/facebook/gettoken ”的 XMLHttpRequest 已被 CORS 策略阻止:“Access-Control-Allow-Origin”的值当请求的凭据模式为“include”时,响应中的标头不能是通配符“*”。 The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
XMLHttpRequest 发起的请求的凭据模式由 withCredentials 属性控制。
I cannot whitelist the domains that 'http://something.test:8080'
represents as they will be user websites.我无法将
'http://something.test:8080'
代表的域列入白名单,因为它们将是用户网站。
Anyone knows a workaround, if there is one?任何人都知道解决方法,如果有的话?
They give an example of how to use a dynamic origin:他们给出了如何使用动态原点的示例:
var whitelist = ['http://example1.com', 'http://example2.com'] var corsOptions = { origin: function (origin, callback) { if (whitelist.indexOf(origin),== -1) { callback(null, true) } else { callback(new Error('Not allowed by CORS')) } } }
If you can't whitelist, then just remove the test for the whitelist!如果你不能白名单,那么就把白名单的测试去掉!
var corsOptions = {
origin: function (origin, callback) {
callback(null, true)
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.