CORS: credentials mode is 'include'

2017-11-10 00:06:15

XMLHttpRequest cannot load http://localhost/Foo.API/token. The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:5000' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

答案

The issue stems from your Angular code:

When withCredentials is set to true, it is trying to send credentials or cookies along with the request. As that means another origin is potentially trying to do authenticated requests, the wildcard ("*") is not permitted as the "Access-Control-Allow-Origin" header.

You would have to explicitely respond with the origin that made the request in the "Access-Control-Allow-Origin" header to make this work.

I would recommend to explicitely whitelist the origins that you want to allow to make authenticated requests, because simply responding with the origin from the request means that any given website can make authenticated calls to your backend if the user happens to have a valid session.

I explain this stuff in this article I wrote a while back.

So you can either set withCredentials to false or implement an origin whitelist and respond to CORS requests with a valid origin whenever credentials are involved


  • 2020-12-29 16:20:29

    使用console进行 性能测试 和 计算代码运行时间

    对于前端开发人员,在开发过程中经常需要监控某些表达式或变量的值,如果使用用 debugger 会显得过于笨重,最常用的方法是会将值输出到控制台上方便调试。 最常用的语句就是console.log(expression)了。

  • 2021-01-05 15:41:42

    nodejs修改时区

    ​let date = new Date(); date.setHours(date.getHours() + 8);

  • 2021-01-06 23:09:38

    mp3解码器转PCM合并

    首先,为了混合两个音频文件,您需要操纵它们的原始表示;由于MP3文件被压缩,您无法直接访问信号的原始表示.您需要对压缩的MP3流进行解码,以便“理解”您的音频信号的波形,然后可以混合使用.