我有一个设置涉及
前端服务器(Node.js,domain:localhost:3000)< --->后端(Django,Ajax,domain:localhost:8000)
浏览器< - webapp< - Node.js(服务应用程序) 浏览器(webapp) – > Ajax – > Django(服务ajax POST请求)
现在,我的问题是使用CORS设置,webapp使用它来对后端服务器进行Ajax调用。在chrome,我不断得到
Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.
不工作在firefox也。
我的Node.js设置是:
var allowCrossDomain = function(req,res,next) {
res.header('Access-Control-Allow-Origin','http://localhost:8000/');
res.header('Access-Control-Allow-Credentials',true);
res.header('Access-Control-Allow-Methods','GET,PUT,POST,DELETE');
res.header("Access-Control-Allow-Headers","Origin,X-Requested-With,Content-Type,Accept");
next();
};
在Django我使用this middleware along with this
webapp这样请求:
$.ajax({
type: "POST",url: 'http://localhost:8000/blah',data: {},xhrFields: {
withCredentials: true
},crossDomain: true,dataType: 'json',success: successHandler
});
因此,webapp发送的请求头像:
Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: "Origin,Accept" Access-Control-Allow-Methods: 'GET,DELETE' Content-Type: application/json Accept: */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: csrftoken=***; sessionid="***"
这里是响应头:
Access-Control-Allow-Headers: Content-Type,* Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST,GET,OPTIONS,DELETE Content-Type: application/json
我在哪里错了?
编辑1:我一直在使用chrome –disable-web-security,但现在想要的东西实际上工作。
编辑2:答案:
所以,解决方案我django-cors-headers配置:
CORS_ORIGIN_ALLOW_ALL = False
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_WHITELIST = (
'http://localhost:3000' # Here was the problem indeed and it has to be http://localhost:3000,not http://localhost:3000/
)
这是安全的一部分,你不能这样做。如果要允许凭据,则您的Access-Control-Allow-Origin不能使用*。您必须指定确切的域。参考看这些问题:
> Access-Control-Allow-Origin wildcard subdomains,ports and protocols
> Cross Origin Resource Sharing with Credentials
此外*太宽容,会打败凭证的使用。因此,将localhost:3000或localhost:8000添加到allow origin标头。
