CORS: credentials mode is 'include'

2017-11-10 00:06:15

XMLHttpRequest cannot load http://localhost/Foo.API/token. The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:5000' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

答案

The issue stems from your Angular code:

When withCredentials is set to true, it is trying to send credentials or cookies along with the request. As that means another origin is potentially trying to do authenticated requests, the wildcard ("*") is not permitted as the "Access-Control-Allow-Origin" header.

You would have to explicitely respond with the origin that made the request in the "Access-Control-Allow-Origin" header to make this work.

I would recommend to explicitely whitelist the origins that you want to allow to make authenticated requests, because simply responding with the origin from the request means that any given website can make authenticated calls to your backend if the user happens to have a valid session.

I explain this stuff in this article I wrote a while back.

So you can either set withCredentials to false or implement an origin whitelist and respond to CORS requests with a valid origin whenever credentials are involved


  • 2020-01-08 23:37:08

    laravel通过图片流返回图片

    我用laravel的字母头像生成框架Laravolt\Avatar生成的base64头像,但我想做个通用但,直接返回图片,我还是根据以往但经验 改写header但返回值为图片返回值,结果返回失败,一堆乱吗,不知道为啥。 后来用了laravel自带但返回图片但方法,结果ok。记录下

  • 2020-01-08 23:45:06

    laravel response 对象一些常用功能点

    通常,我们并不只是从路由动作简单返回字符串和数组,大多数情况下,都会返回一个完整的 Illuminate\Http\Response 实例或 视图。

  • 2020-01-08 23:49:13

    laravel 存储base64格式图片

    一、总结 一句话总结: 二、laravel存储64位图片实例 三、laravel 存储前端上传base64图片 四、php将base64字符串转换为图片

  • 2020-01-09 01:24:28

    mac安装ImageMagick与PHP扩展Imagick

    mac安装ImageMagick和php7.2扩展Imagick,从网上搜索教程,感觉好少,有的教程看起来也很麻烦,不过安装起来,没想到竟然如此简单。不非纯灰之力。

  • 2020-01-09 18:49:17

    pecl安装卸载模块,如何自动配置php.ini

    利用pecl安装php模块,可能需要手工配置php.ini,以加载或禁止相关模块。那么pecl install是不是可以自动配置php.ini呢?答案是肯定的。在pecl isntall的提示信息中,苏南大叔找到了下面的类似提示信息:configuration option "php_ini" is not set to php.ini location。这个设置点,就是本文的关键所在。设置好"php_ini"之后,pecl就可以自动修改php.ini中的extension=了。

  • 2020-01-10 10:23:08

    父元素设置min-height子元素设置100%问题

    父元素设置min-height子元素高度设置100%取不到值,这是因为子元素 div设置 height:100%;只有当父级元素满足min-height:1000px;设置的条件才触发;浏览器默认是不会触发的,所以子元素的100%的高度继承就失效了。min-height 是在 height 计算之后再套用的.

  • 2020-01-10 15:48:46

    Linux下查看文件精确到秒的修改时间

    今天排查一个BUG遇到一个问题,错误日志中打印的时间精确到秒,但当根据日志中的时间去找对应文件进行验证的时候,发现通过 ls -l 或者 ll 命令,都无法查看到文件精确到秒的修改时间。

  • 2020-01-10 15:55:05

    linux php yum 安装Imagick

    通过pecl安装Imagick扩展,成功到是成功了,很顺利,但是so包并不在我当年用yum安装的php7.2的扩展包内,我把生成的Imagick.so,移动到当前用的php包内,并不能用,提示 undefined symbol: spl_ce_Countable)) in Unknown on line 0。