POST请求中缺少CORS头部Allow-Origin

huangapple go评论100阅读模式
英文:

CORS header Allow-Origin missing in POST requests

问题

我知道有很多与CORS相关的问题,但我似乎找不到这个问题的答案。

这是我的服务器端Golang代码(我们使用github.com/rs/cors go模块):
我们基本上有一组需要授权头部的API和一些不需要的API(比如结账和访客结账功能)。

allowedOrigins := []string{"http://localhost:3000", "http://localhost:3001"}
//allowedHeaders := []string{"Authorization"}
c := cors.New(cors.Options{AllowedOrigins: allowedOrigins, AllowCredentials: true})
handler := c.Handler(r)

我发现以下内容:

// 如果allowcredentials设置为true,则所有非授权请求都会通过,但所有授权请求都会返回CORS错误

// 如果设置allowedHeaders: authorization,则所有**已验证和未验证**的POST请求都会失败。GET请求对两种情况都正常工作。

更具体地说:当我尝试执行POST请求并设置了上面的AllowedHeaders:authorization选项时,我得到的错误是AllowedOrigins未设置(??..我在预检OPTIONS响应头中得到这个错误)。

如果我注释掉那行代码(如上所示),那么非授权请求将完全通过,并且AllowedOrigins头部将在OPTIONS请求中返回。

英文:

I know there are tons of CORS related questions but I can't seem to find the answer to this one.

This is my server side golang code (We are using github.com/rs/cors go module):
We basically have set of apis that require an authorization header and some apis that don't (think checkout vs checkout as guest functionality)

allowedOrigins := []string{"http://localhost:3000", "http://localhost:3001"}
//allowedHeaders := []string{"Authorization"}
c := cors.New(cors.Options{AllowedOrigins: allowedOrigins, AllowCredentials: true})
handler := c.Handler(r)

What i found is the following:

// if allowcredentials is set to true, then all non auth requests go through but all auth requests return cors error

// if allowedHeaders: authorization is set then all **authenticated and NON authenticated** POST requests fail. GET works fine for both cases.

More specifically: The error I get is that AllowedOrigins is not set (??.. I get this in the PRE-FLIGHT OPTIONS response headers) when I try to execute a POST request and I set the AllowedHeaders:authorization option above.

If I comment that line (As you see above) then the non auth requests go through perfectly and the AllowedOrigins hader is sent back in the OPTIONS request..

答案1

得分: 1

修复了....

https://github.com/rs/cors
有一个很好的CorsOptions Debug:true。我使用它来检查发生了什么,当我硬编码允许授权进入我的服务器时,然后POST请求之后会出现问题,因为我还发送了content-type(由客户端(axios)自动发送,我没有指定)...服务器基本上说“我只认识授权头”...我添加了Content-Type,现在它可以工作了!

allowedHeaders := []string{"Authorization", "Content-Type"}

英文:

Fixed it....

https://github.com/rs/cors 

Has a nice CorsOptions Debug:true. I used that to inspect what was going on and the moment i hardcoded that I allowed Authorization to come into my server then the POST request was complaining afterwards because I was also sending content-type (automatically sent by client (axios), I didn't specify it).. and Server was saying pretty much "I only recognize authorization header"... I added Content-Type and it now works!

allowedHeaders := []string{"Authorization", "Content-Type"}

huangapple
  • 本文由 发表于 2022年3月27日 03:44:04
  • 转载请务必保留本文链接:https://go.coder-hub.com/71631286.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定