CORS: credentials mode is 'include'

2017-11-10 00:06:15

XMLHttpRequest cannot load http://localhost/Foo.API/token. The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:5000' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

答案

The issue stems from your Angular code:

When withCredentials is set to true, it is trying to send credentials or cookies along with the request. As that means another origin is potentially trying to do authenticated requests, the wildcard ("*") is not permitted as the "Access-Control-Allow-Origin" header.

You would have to explicitely respond with the origin that made the request in the "Access-Control-Allow-Origin" header to make this work.

I would recommend to explicitely whitelist the origins that you want to allow to make authenticated requests, because simply responding with the origin from the request means that any given website can make authenticated calls to your backend if the user happens to have a valid session.

I explain this stuff in this article I wrote a while back.

So you can either set withCredentials to false or implement an origin whitelist and respond to CORS requests with a valid origin whenever credentials are involved


  • 2021-03-02 16:00:30

    git pull时的filename too long的错误

    这是因为git在windowa下的文件名长度最大是260,(git在Linux下最大支持4096长度的文件名),可以通过输入以下命令解决:

  • 2021-03-05 13:18:03

    mjml教程详解

    mjml如何快速编写响应式电子邮件

  • 2021-03-15 10:34:55

    Sass函数:Sass Maps的函数-map-get($map,$key)

    map-get($map,$key) 函数的作用是根据 $key 参数,返回 $key 在 $map 中对应的 value 值。如果 $key 不存在 $map中,将返回 null 值。此函数包括两个参数: