Google Chrome:当凭证标志为真时,不能在“Access-Control-Allow-Origin"标头中使用通配符“*"

我知道这很常见,对于早期版本的 chrome,我曾经设置C:Program Files (x86)GoogleChromeApplicationchrome.exe" --args --disable-web-security--user-data-dir 在 chrome 快捷方式选项卡中避免访问控制允许来源"错误.使用最新版本,此修复似乎不再有效.安装最新版本 53.0.2785.89 m 后控制台报错

XMLHttpRequest 无法加载 https://example.org:15003/apps/services/preview/rr/common/1.0/default/index.html.对预检请求的响应未通过访问控制检查:当凭证标志为真时,不能在Access-Control-Allow-Origin"标头中使用通配符*".因此,不允许访问 Origin 'http://ibm-pb7en65:10080'.XMLHttpRequest 的凭据模式由 withCredentials 属性控制.

我不确定要添加哪些附加属性以避免Access-Control-Allow-Origin"错误.有什么方法可以实现吗?

解决方案

错误告诉你服务器发回了这个响应头:

<上一页>访问控制允许来源:*

...在凭据请求上.那是行不通的.对于带有凭据的请求,服务器必须返回 specific Access-Control-Allow-Origin 标头.

由于您是从 http://ibm-pb7en65:10080/ 发出请求,因此您的服务器必须发回此标头:

<上一页>访问控制允许来源:http://ibm-pb7en65:10080

不能使用通配符*代替.

解决办法是:

  • 更新服务器以执行此操作,或
  • 从请求中删除凭据

详细信息,一如既往,在规范中.

I know this is something usual, With the earlier versions of chrome I used to set "C:Program Files (x86)GoogleChromeApplicationchrome.exe" --args --disable-web-security --user-data-dir in chrome shortcut tab to avoid 'Access-Control-Allow-Origin' errors. With the latest version, it seems like this fix is not working anymore. After installing the latest version 53.0.2785.89 m this is the error in console

XMLHttpRequest cannot load https://example.org:15003/apps/services/preview/rr/common/1.0/default/index.html. Response to preflight request doesn't pass access control check: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://ibm-pb7en65:10080' is therefore not allowed access. The credentials mode of an XMLHttpRequest is controlled by the withCredentials attribute.

I am not sure which additional attributes are to be added to avoid 'Access-Control-Allow-Origin' error.Is there any way this can be achieved?

解决方案

The error is telling you that the server sent back this response header:

Access-Control-Allow-Origin: *

...on a credentialed request. That doesn't work. On a request with credentials, the server must return a specific Access-Control-Allow-Origin header.

Since you're making the request from http://ibm-pb7en65:10080/, your server must send back this header:

Access-Control-Allow-Origin: http://ibm-pb7en65:10080

It cannot use the wildcard * instead.

The solution is either:

  • Update the server to do that, or
  • Remove credentials from the request

Details, as always, in the specification.

相关文章