堆栈内存溢出
  简体   繁体   English

当我想连接到socket.io(Node.js)时,我在socket.io(Node.js)中有CORS错误

[英]i have CORS Error in socket.io (Node.js) when i want ot connect to that

 原文  2022-07-12 21:01:04       javascript/ node.js/ socket.io/ cors

问题描述

I have a socket.io service that different devices want to connect to that, and because of it, it's very important to me that my socket.io service allows all origins (even when a client doesn't set any origin in the header) to connect to that, this is my io (server-side):我有一个 socket.io 服务,不同的设备想要连接到它,因此,我的 socket.io 服务允许所有来源对我来说非常重要(即使客户端没有在标头中设置任何来源)要连接到它,这是我的 io(服务器端):

const server = http.createServer(app); // app is express app
const io = require('socket.io')(server,{
    allowEIO3: true,
    cors: {
        origin: '*',
        credentials: true
    },
});

and this is my client:这是我的客户:

const socket = io('http://localhost:4855/', {
  timeout: 60 * 1000,
  reconnection: true,
  forceNew: true, 
  query: {
    authorization: `Bearer ${token}`
  },
  // extraHeaders: {
  //   Authorization: "ksi",
  //   "Access-Control-Allow-Origin": "*",
  //   "Access-Control-Allow-Credentials": true
  // },
  // Headers: {
  //   "Access-Control-Allow-Origin": 'http://localhost',
  // },
  // headers: {
  //   "Access-Control-Allow-Origin": "*",
    // "Access-Control-Allow-Credentials": true
  // }
});
socket.connect();

ERROR MESSAGE: from origin 'http://localhost' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.错误消息:来自源“http://localhost”已被 CORS 策略阻止:当请求的凭据模式为时,响应中的“Access-Control-Allow-Origin”标头的值不能是通配符“*” '包括'。 The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute. XMLHttpRequest 发起的请求的凭证模式由 withCredentials 属性控制。

2 个解决方案

解决方案1
 1  2022-07-13 07:46:16

If your backend relies on the Bearer authentication scheme (as your code snippet suggests) and not on cookies, you do not need to use credentialed requests or to allow credentials in your CORS configuration .如果您的后端依赖于 Bearer 身份验证方案(如您的代码片段所示)而不是 cookie,则您不需要使用凭证请求在 CORS 配置中允许凭证 You can keep using the wildcard ( * ) to specify the allowed origins;您可以继续使用通配符 ( * ) 来指定允许的来源; you'll also need to explicitly allow the Authorization request header:您还需要明确允许Authorization请求标头:

cors: {
  origin: '*',
  allowedHeaders: ["authorization"]
}

This instance of Jake Archibald's playground may be enough to convince you. Jake Archibald 的游乐场的这个例子可能足以说服你。

The CORS configuration above is secure insofar as cross-origin attackers cannot forge authenticated requests on behalf of their victims.上面的 CORS 配置是安全的,因为跨域攻击者无法代表受害者伪造经过身份验证的请求。

If, on the other hand, your backend server relies on cookies, you need to use credentialed requests and allow credentials in your CORS configuration.另一方面,如果您的后端服务器依赖于 cookie,您需要使用凭证请求并在 CORS 配置中允许凭证。 However, the CORS spec forbids the use of the wildcard in conjunction with credentialed requests .但是,CORS 规范禁止将通配符与凭证请求一起使用 It may be tempting to allow all origins with credentials ( as recommended by Quentin ), but that amounts to voiding the protection provided by the Same-Origin Policy and exposes your users to cross-origin attacks.允许所有具有凭据的来源(如 Quentin 建议的那样)可能很诱人,但这等于使同源策略提供的保护无效,并使您的用户面临跨域攻击。 More details in James Kettle's post on Portswigger's website .更多详情请参阅James Kettle 在 Portswigger 网站上的帖子

解决方案2
 0  2022-07-12 21:08:19

The error is pretty clear.错误很明显。

The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.当请求的凭据模式为“包含”时,响应中的“Access-Control-Allow-Origin”标头的值不能是通配符“*”。

And you said:你说:

 origin: '*',

So you have to return the actual origin and not the wildcard.因此,您必须返回实际来源而不是通配符。

The documentation says:文档说:

All options will be forwarded to the cors package.所有选项都将转发到 cors 包。 The complete list of options can be found here.可以在此处找到完整的选项列表。

Which, in turn, says :反过来

origin: Configures the Access-Control-Allow-Origin CORS header. origin:配置 Access-Control-Allow-Origin CORS 头。 Possible values:可能的值:

  • Boolean - set origin to true to reflect the request origin, as defined by req.header('Origin'), or set it to false to disable CORS. Boolean - 将 origin 设置为 true 以反映由 req.header('Origin') 定义的请求源,或将其设置为 false 以禁用 CORS。
  • String - set origin to a specific origin.字符串 - 将原点设置为特定原点。 For example if you set it to "http://example.com" only requests from "http://example.com" will be allowed.例如,如果您将其设置为“http://example.com”,则仅允许来自“http://example.com”的请求。
  • RegExp - set origin to a regular expression pattern which will be used to test the request origin. RegExp - 将 origin 设置为用于测试请求来源的正则表达式模式。 If it's a match, the request origin will be reflected.如果匹配,将反映请求来源。 For example the pattern /example.com$/ will reflect any request that is coming from an origin ending with "example.com".例如,模式 /example.com$/ 将反映来自以“example.com”结尾的来源的任何请求。
  • Array - set origin to an array of valid origins.数组 - 将原点设置为有效原点的数组。 Each origin can be a String or a RegExp.每个来源可以是字符串或正则表达式。 For example ["http://example1.com", /.example2.com$/] will accept any request from "http://example1.com" or from a subdomain of "example2.com".例如 ["http://example1.com", /.example2.com$/] 将接受来自 "http://example1.com" 或来自 "example2.com" 子域的任何请求。
  • Function - set origin to a function implementing some custom logic.函数 - 将原点设置为实现一些自定义逻辑的函数。 The function takes the request origin as the first parameter and a callback (called as callback(err, origin), where origin is a non-function value of the origin option) as the second.该函数将请求来源作为第一个参数,将回调(称为 callback(err, origin),其中 origin 是 origin 选项的非函数值)作为第二个参数。

Since you want to allow any origin , you can't use a string or an array.由于您想允许任何 origin ,因此不能使用字符串或数组。

The other options would all work, but the simplest is the boolean.其他选项都可以,但最简单的是布尔值。

cors: {
    origin: true,
    credentials: true
},

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 node.js 上使用 socket.io 时如何处理 CORS - How do I handle CORS when am working with socket.io on node.js 在firefox中运行node.js和socket.io时出现CORS错误 - CORS error when running node.js and socket.io in firefox 如何使用node.js和socket.io连接到已建立的服务器(非本地主机)? - How can I connect to an established server (NOT localhost) with node.js & socket.io? 我可以通过 socket.io 和 JavaScript 将 Unity 程序连接到 node.js 服务器,如果是,如何连接? - Can I connect a Unity program to node.js server via socket.io and JavaScript, and if yes how? CORS 被 node.js 和 socket.io 阻止 - CORS Blocked with node.js and socket.io Azure-Node.js socket.io-Cors - Azure - Node.js socket.io - cors 在node.js中,构建socket.io/express应用程序时需要http吗? - In node.js do I need http when building a socket.io/express app? 在openshift上使用socket.io和node.js时,即使指定了端口8000,也无法连接到端口8080错误 - Failed to connect to port 8080 error when using socket.io and node.js on openshift even when port 8000 specified Node.js和socket.io不允许连接和交换数据 - Node.js and socket.io is not allowing to connect and exchange data node.js / Express / Connect / Socket.io的关系 - Relationship of node.js / Express / Connect / Socket.io
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM