发表新帖
发表新帖

CORS: Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true

后端 未结
关注
9 2505
借酒劲吻你
借酒劲吻你 2020-11-22 01:54

I have a setup involving

Frontend server (Node.js, domain: localhost:3000) <---> Backend (Django, Ajax, domain: localhost:8000)

Browser <-- webapp <

相关标签:
9条回答
  • 失恋的感觉
    2020-11-22 02:54

    Had this problem with angular, using an auth interceptor to edit the header, before the request gets executed. We used an api-token for authentification, so i had credentials enabled. now, it seems it is not neccessary/allowed anymore

    @Injectable()
export class AuthInterceptor implements HttpInterceptor {
  intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
    req = req.clone({
      //withCredentials: true, //not needed anymore
      setHeaders: {
        'Content-Type' : 'application/json',
        'API-TOKEN' : 'xxx'
      },
    });
    
    return next.handle(req);
  }

    Besides that, there is no side effects right now.

    0 讨论(0)
  • -上瘾入骨i
    2020-11-22 02:58

    Expanding on @Renaud idea, cors now provides a very easy way of doing this:

    From cors official documentation found here:

    " origin: Configures the Access-Control-Allow-Origin CORS header. Possible values: Boolean - set origin to true to reflect the request origin, as defined by req.header('Origin'), or set it to false to disable CORS. "

    Hence we simply do the following:

    const app = express();
const corsConfig = {
    credentials: true,
    origin: true,
};
app.use(cors(corsConfig));

    Lastly I think it is worth mentioning that there are use cases where we would want to allow cross origin requests from anyone; for example, when building a public REST API.

    NOTE: I would have liked to leave this as a comment on his answer, but unfortunately I don't have the reputation points.

    0 讨论(0)
  • 臣服心动
    2020-11-22 02:59

    This works for me in development but I can't advise that in production, it's just a different way of getting the job done that hasn't been mentioned yet but probably not the best. Anyway here goes:

    You can get the origin from the request, then use that in the response header. Here's how it looks in express:

    app.use(function(req, res, next) {
  res.header('Access-Control-Allow-Origin', req.header('origin') );
  next();
});

    I don't know what that would look like with your python setup but that should be easy to translate.

    0 讨论(0)
 看不清?
提交回复
热议问题