[英]rejected by cors when using withCredentials, despiete access-control-allow-credentials and origin are set
I'm using AWS lambdas and cloudfront to serve a SPA.我正在使用 AWS lambdas 和 cloudfront 来提供 SPA。 Now that my lambdas are setting a cookie, I want to include that cookie in the requests I made to the backend (the cookie is
HttpOnly
and Secure
).现在我的 lambdas 正在设置一个 cookie,我想将该 cookie 包含在我向后端发出的请求中(cookie 是
HttpOnly
和Secure
)。 Using Axios I set the withCredentials
option to true and all my request are now being rejected because CORS.使用 Axios 我将
withCredentials
选项设置为 true,我的所有请求现在都被拒绝,因为 CORS。 The web app is being served from the main domain, while the backend lambdas are on the usual lambda weird UUID url. web 应用程序正在从主域提供服务,而后端 lambdas 位于通常的 lambda 奇怪的 UUID url 上。 The lambdas are returning the proper headers, as you can see in the screenshot:
access-control-allow-origin
is set to the domain the web-app is being served from and access-control-allow-credentials
is true
. lambda 正在返回正确的标头,如您在屏幕截图中所见:
access-control-allow-origin
设置为提供 Web 应用程序的域,并且access-control-allow-credentials
为true
。 The screenshot is from the app without the withCredentials
option activated, so it is being triggered from the web-app 100% sure.屏幕截图来自未激活
withCredentials
选项的应用程序,因此 100% 肯定会从网络应用程序触发。 Everything is being served over https with a valid certificate (I want to test this also on localhost, but that is a different story)一切都在 https 上使用有效证书提供服务(我也想在本地主机上测试这个,但那是另一回事)
This is the error I'm getting on the console.这是我在控制台上遇到的错误。 One weird thing is that it claims that
Access-Control-Allow-Credentials
is set to ''
, which is not true一件奇怪的事情是它声称
Access-Control-Allow-Credentials
设置为''
,这是不正确的
Access to XMLHttpRequest at 'https://p3doiszvgg.execute-api.eu-central-1.amazonaws.com/dev/sessions'
from origin 'https://pento.danielo.es' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check:
The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
Is there anything missing?有什么遗漏吗?
EDIT:编辑:
This are the headers that I'm sending.这是我要发送的标头。 The problem with this headers is that they are obtained without the
withCredentials
flag, because if I add such flag the only headers I can see are the provisional headers.这个标头的问题在于它们是在没有
withCredentials
标志的情况下获得的,因为如果我添加这样的标志,我能看到的唯一标头是临时标头。
:authority: p3doiszvgg.execute-api.eu-central-1.amazonaws.com
:method: POST
:path: /dev/sessions
:scheme: https
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: en-GB,en;q=0.9,es-ES;q=0.8,es;q=0.7,en-US;q=0.6
authorization: Bearer the.bearer.token
cache-control: no-cache
content-length: 58
content-type: application/json;charset=UTF-8
origin: https://pento.danielo.es
pragma: no-cache
referer: https://pento.danielo.es/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Here is a provisional headers screenshot:这是一个临时标题屏幕截图:
The cookie sent by the server looks something like this:服务器发送的 cookie 如下所示:
Set-Cookie: refresh_token=uuid-string-with-letters-numbers; HttpOnly; Secure;
Finally I found the problem and a temporary solution (I'm not very happy with it).最后我找到了问题和临时解决方案(我对此不太满意)。 The problem was not my lambda response, that was correct and including the required headers, the problem was with the preflight request.
问题不是我的 lambda 响应,这是正确的并且包括所需的标头,问题在于预检请求。 Your browser will send a preflight request almost for every CORS request you made, and, while that request was being successful it was missing some headers.
您的浏览器几乎会为您发出的每个 CORS 请求发送一个预检请求,并且,虽然该请求成功,但它缺少一些标头。 This can be very confusing because the request that it is failing is your actual request (that is what the browser flags as failed) but the problem is on the preflight response.
这可能会非常令人困惑,因为它失败的请求是您的实际请求(浏览器将其标记为失败),但问题出在预检响应上。
To be fair, the error on the console was already pointing this out:公平地说,控制台上的错误已经指出了这一点:
Response to preflight request doesn't pass access control check
But it is abit buried, easy to miss and the documentation about it is sparse.但它有点隐藏,容易错过,而且关于它的文档很少。
The way I fixed it is by adding some extra props to the CORS definition of my serverless template:我修复它的方法是在我的无服务器模板的 CORS 定义中添加一些额外的道具:
authEcho:
handler: src/users/me.handler
events:
- http:
path: me
method: get
cors:
origin: https://frontend.domain.es
allowCredentials: true # <-- this is the key part
It is not clear on the serverless documentation, but those will be merged with the final response, so you don't need to specify everything or all the headers.无服务器文档尚不清楚,但这些将与最终响应合并,因此您无需指定所有内容或所有标题。 The only thing I don't like is that I have to hardcode the origin, while on the actual labmda responses I can calculate it dynamically.
我唯一不喜欢的是我必须对原点进行硬编码,而在实际的 labmda 响应中我可以动态计算它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.