问题描述
我有涉及设置
前端服务器(Node.js的,域名:本地主机:3000)< --->后端(Django的,阿贾克斯,域名:本地主机:8000)
浏览器与LT; - web应用< - Node.js的(即成应用程序)
浏览器(Web应用程序) - >阿贾克斯 - > Django的(即成AJAX POST请求)
现在,我的问题就在这里是CORS设置该Web应用程序使用,使Ajax调用后端服务器。在铬,我不断收到
不能在Firefox的工作之一。
我的Node.js的设置是:
VAR allowCrossDomain =功能(REQ,水库,下一个){
res.header(访问控制 - 允许 - 原产地,HTTP://本地主机:8000 /');
res.header(访问控制 - 允许 - 凭据,真正的);
res.header(访问控制 - 允许 - 方法,GET,PUT,POST,DELETE);
res.header(访问控制 - 允许 - 头,原产地,X-要求,通过,内容类型,接受);
下一个();
};
和在Django我使用这个中间件的
web应用程序发出请求作为这样的:
$。阿贾克斯({
键入:POST,
网址:HTTP://本地主机:8000 /嗒嗒',
数据: {},
xhrFields:{
withCredentials:真
},
跨域:真正的,
数据类型:JSON,
成功:successHandler
});
因此,该Web应用程序发送貌似请求头:
访问控制 - 允许-凭据:真
访问控制 - 允许 - 头:原产地,X-要求,通过,内容类型,接受
访问控制 - 允许 - 方法GET,PUT,POST,DELETE
内容类型:应用程序/ JSON
接受: */*
接受编码:gzip,紧缩,SDCH
接受语言:EN-US,EN; Q = 0.8
饼干:csrftoken = ***;会话id =***
和这里的响应头:
访问控制 - 允许 - 头:内容类型,*
访问控制 - 允许-凭据:真
访问控制 - 允许 - 产地:*
访问控制 - 允许 - 方法:POST,GET,OPTIONS,PUT,DELETE
内容类型:应用程序/ JSON
我在哪里去了?!
编辑1:我一直在使用铬 - 禁用网络安全,但现在想要的东西,以实际工作
编辑2:答:
所以,对我的解决方案的Django-CORS报头配置:
CORS_ORIGIN_ALLOW_ALL =假
CORS_ALLOW_CREDENTIALS = TRUE
CORS_ORIGIN_WHITELIST =(
HTTP://本地主机:3000'#这是问题确实与它有是http://本地主机:3000,而不是http://本地主机:3000 /
)
这是安全的一部分,你不能这样做。如果你想允许证书,那么你的访问控制 - 允许 - 原产地不得使用 * 。您必须指定确切域。更多信息参见以下问题:
- Access-Control-Allow-Origin通配符子域,端口和协议
- Cross原产地资源共享与凭证
除了 * 过于宽松,并会打败使用的凭据。因此,添加本地主机:3000 或本地主机:8000 到允许原点标题
I have a setup involving
Frontend server (Node.js, domain: localhost:3000) <---> Backend (Django, Ajax, domain: localhost:8000)
Browser <-- webapp <-- Node.js (Serve the app)
Browser (webapp) --> Ajax --> Django(Serve ajax POST requests)
Now, my problem here is with CORS setup which the webapp uses to make Ajax calls to the backend server. In chrome, I keep getting
doesn't work on firefox either.
My Node.js setup is:
var allowCrossDomain = function(req, res, next) {
res.header('Access-Control-Allow-Origin', 'http://localhost:8000/');
res.header('Access-Control-Allow-Credentials', true);
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE');
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
next();
};
And in Django I'm using this middleware along with this
The webapp makes requests as such:
$.ajax({
type: "POST",
url: 'http://localhost:8000/blah',
data: {},
xhrFields: {
withCredentials: true
},
crossDomain: true,
dataType: 'json',
success: successHandler
});
So, the request headers that the webapp sends looks like:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: "Origin, X-Requested-With, Content-Type, Accept"
Access-Control-Allow-Methods: 'GET,PUT,POST,DELETE'
Content-Type: application/json
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: csrftoken=***; sessionid="***"
And here's the response header:
Access-Control-Allow-Headers: Content-Type,*
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,GET,OPTIONS,PUT,DELETE
Content-Type: application/json
Where am I going wrong?!
Edit 1: I've been using chrome --disable-web-security, but now want things to actually work.
Edit 2: Answer:
So, solution for me django-cors-headers config:
CORS_ORIGIN_ALLOW_ALL = False
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_WHITELIST = (
'http://localhost:3000' # Here was the problem indeed and it has to be http://localhost:3000, not http://localhost:3000/
)
This is a part of security, you cannot do that. If you want to allow credentials then your Access-Control-Allow-Origin must not use *. You will have to specify the exact domain. For reference see these questions :
- Access-Control-Allow-Origin wildcard subdomains, ports and protocols
- Cross Origin Resource Sharing with Credentials
Besides * is too permissive and would defeat use of credentials. So add localhost:3000 or localhost:8000 to the allow origin header.
这篇关于CORS:不能使用通配符的访问控制 - 允许 - 原产地证书时,标志为真的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!