withCredentials 和通配符 * - 'Access-Control-Allow-Origin' 标头问题
[英]withCredentials and wildcard * - 'Access-Control-Allow-Origin' header issue
问题描述
I have an app in nodejs that will serve as a proxy to connecting to various social platforms.
我在 nodejs 中有一个应用程序,它将作为连接到各种社交平台的代理。 The flow is like this:流程是这样的:
- Click on a button, open a new window点击一个按钮,打开一个新窗口
- Before closing a window, add access token to cookie (for now the app is on localhost, so the token is on that domain) as a nonce and add it to database.在关闭窗口之前,将访问令牌添加到 cookie(目前应用程序位于本地主机上,因此令牌位于该域上)作为随机数并将其添加到数据库中。
- Once the modal closes, go to another endpoint that will take that nonce from cookie, search in db, and return the token.模式关闭后,转到另一个端点,该端点将从 cookie 中获取该随机数,在数据库中搜索并返回令牌。
Here is the issue, after sending AJAX request for step 3, CORS issue occurs.这是问题所在,在为第 3 步发送 AJAX 请求后,出现 CORS 问题。 This is the code:这是代码:
jQuery.ajax({
url: "http://localhost:9057/facebook/gettoken",
type: 'GET',
dataType: "json",
xhrFields: {
// -->> In order to access the cookie, we have to have this set as true.
withCredentials: true
},
crossDomain: true,
success: function (res) {
console.log(res);
}
});
In my NodeJS app, I have cors set up as:在我的 NodeJS 应用程序中,我将 cors 设置为:
if (config.getOption('PORT')) {
const corsOptions = {
credentials: true
};
app.use(cors(corsOptions));
// -->> I cannot have * here here, withCredentials cannot be set to true and have *, see the error below
app.options('*', cors(corsOptions));
}
This is the error:这是错误:
Access to XMLHttpRequest at ' http://localhost:9057/facebook/gettoken ' from origin ' http://something.test:8080 ' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
I cannot whitelist the domains that 'http://something.test:8080' represents as they will be user websites.我无法将'http://something.test:8080'代表的域列入白名单,因为它们将是用户网站。
Anyone knows a workaround, if there is one?任何人都知道解决方法,如果有的话?
1 个解决方案
解决方案1
1 已采纳 2020-01-21 14:27:32
They give an example of how to use a dynamic origin:他们给出了如何使用动态原点的示例:
var whitelist = ['http://example1.com', 'http://example2.com'] var corsOptions = { origin: function (origin, callback) { if (whitelist.indexOf(origin),== -1) { callback(null, true) } else { callback(new Error('Not allowed by CORS')) } } }
If you can't whitelist, then just remove the test for the whitelist!如果你不能白名单,那么就把白名单的测试去掉!
var corsOptions = {
origin: function (origin, callback) {
callback(null, true)
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.