Origin http://localhost is not allowed by Access-Control-Allow-Origin
I\'m trying to do a fetch from backbone.js to my node.js server. However, I get the following error in the console:
Origin http://localhost is not allowed by A
-
There are 2 calls that need to set the correct headers. Initially there is a preflight check so you need something like...
app.get('/item', item.list); app.options('/item', item.preflight);and then have the following functions...
exports.list = function (req, res) { Items.allItems(function (err, items) { ... res.header('Access-Control-Allow-Origin', "*"); // TODO - Make this more secure!! res.header('Access-Control-Allow-Methods', 'GET,PUT,POST'); res.header('Access-Control-Allow-Headers', 'Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept'); res.send(items); } ); };and for the pre-flight checks
exports.preflight = function (req, res) { Items.allItems(function (err, items) { res.header('Access-Control-Allow-Origin', "*"); // TODO - Make this more secure!! res.header('Access-Control-Allow-Methods', 'GET,PUT,POST'); res.header('Access-Control-Allow-Headers', 'Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept'); res.send(200); } ); };You can consolidate the res.header() code into a single function if you want.
Also as stated above, be careful of using res.header('Access-Control-Allow-Origin', "*") this means anyone can access your site!
讨论(0) -
If you want everyone to be able to access the Node app, then try using
res.header('Access-Control-Allow-Origin', "*")That will allow requests from any origin. The CORS enable site has a lot of information on the different Access-Control-Allow headers and how to use them.
I you are using Chrome, please look at this bug bug regarding localhost and Access-Control-Allow-Origin. There is another StackOverflow question here that details the issue.
讨论(0) -
By localhost you have to use the
nullorigin. I recommend you to create a list of allowed hosts and check the request'sHostheader. If it is contained by the list, then by localhost send back anres.header('Access-Control-Allow-Origin', "null");by any other domain an
res.header('Access-Control-Allow-Origin', hostSentByTheRequestHeader);If it is not contained by the list, then send back the servers host name, so the browser will hide the response by those requests.
This is much more secure, because by allow origin * and allow credentials everybody will be capable of for example stealing profile data of a logged in user, etc...
So to summarize something like this:
if (reqHost in allowedHosts) if (reqHost == "http://localhost") res.header('Access-Control-Allow-Origin', "null"); else res.header('Access-Control-Allow-Origin', reqHost); else res.header('Access-Control-Allow-Origin', serverHost);is the most secure solution if you want to allow multiple other domains to access your page. (I guess you can figure out how the get the host request header and the server host by node.js.)
讨论(0) -
If you are making the fetch call to your localhost which I'm guessing is run by node.js in the same directory as your backbone code, than it will most likely be on
http://localhost:3000or something like that. Than this should be your model:var model = Backbone.Model.extend({ url: '/item' });And in your node.js you now have to accept that call like this:
app.get('/item', function(req, res){ res.send('some info here'); });讨论(0) -
This approach resolved my issue to allow multiple domain
app.use(function(req, res, next) { var allowedOrigins = ['http://127.0.0.1:8020', 'http://localhost:8020', 'http://127.0.0.1:9000', 'http://localhost:9000']; var origin = req.headers.origin; if(allowedOrigins.indexOf(origin) > -1){ res.setHeader('Access-Control-Allow-Origin', origin); } //res.header('Access-Control-Allow-Origin', 'http://127.0.0.1:8020'); res.header('Access-Control-Allow-Methods', 'GET, OPTIONS'); res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization'); res.header('Access-Control-Allow-Credentials', true); return next(); });讨论(0)
加载中...
- 热议问题