Google Chrome:当凭证标志为真时,不能在“Access-Control-Allow-Origin"标头中使用通配符“*"
我知道这很常见,对于早期版本的 chrome,我曾经设置C:Program Files (x86)GoogleChromeApplicationchrome.exe" --args --disable-web-security--user-data-dir 在 chrome 快捷方式选项卡中避免访问控制允许来源"错误.使用最新版本,此修复似乎不再有效.安装最新版本 53.0.2785.89 m 后控制台报错
XMLHttpRequest 无法加载 https://example.org:15003/apps/services/preview/rr/common/1.0/default/index.html.对预检请求的响应未通过访问控制检查:当凭证标志为真时,不能在Access-Control-Allow-Origin"标头中使用通配符*".因此,不允许访问 Origin 'http://ibm-pb7en65:10080'.XMLHttpRequest 的凭据模式由 withCredentials 属性控制.
我不确定要添加哪些附加属性以避免Access-Control-Allow-Origin"错误.有什么方法可以实现吗?
解决方案错误告诉你服务器发回了这个响应头:
<上一页>访问控制允许来源:*...在凭据请求上.那是行不通的.对于带有凭据的请求,服务器必须返回 specific Access-Control-Allow-Origin
标头.
由于您是从 http://ibm-pb7en65:10080/
发出请求,因此您的服务器必须发回此标头:
不能使用通配符*
代替.
解决办法是:
- 更新服务器以执行此操作,或
- 从请求中删除凭据
详细信息,一如既往,在规范中.
I know this is something usual, With the earlier versions of chrome I used to set "C:Program Files (x86)GoogleChromeApplicationchrome.exe" --args --disable-web-security --user-data-dir in chrome shortcut tab to avoid 'Access-Control-Allow-Origin' errors. With the latest version, it seems like this fix is not working anymore. After installing the latest version 53.0.2785.89 m this is the error in console
XMLHttpRequest cannot load https://example.org:15003/apps/services/preview/rr/common/1.0/default/index.html. Response to preflight request doesn't pass access control check: A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true. Origin 'http://ibm-pb7en65:10080' is therefore not allowed access. The credentials mode of an XMLHttpRequest is controlled by the withCredentials attribute.
I am not sure which additional attributes are to be added to avoid 'Access-Control-Allow-Origin' error.Is there any way this can be achieved?
解决方案The error is telling you that the server sent back this response header:
Access-Control-Allow-Origin: *
...on a credentialed request. That doesn't work. On a request with credentials, the server must return a specific Access-Control-Allow-Origin
header.
Since you're making the request from http://ibm-pb7en65:10080/
, your server must send back this header:
Access-Control-Allow-Origin: http://ibm-pb7en65:10080
It cannot use the wildcard *
instead.
The solution is either:
- Update the server to do that, or
- Remove credentials from the request
Details, as always, in the specification.
相关文章