英文:
Solving CORS Issue using Chrome Extension
问题
我的应用程序可在 app-123.company.aws.com 上使用。为了加快开发过程,我使用 Requestly 将脚本和 API 重定向到我的本地开发环境。大部分时间都很顺利,但某些 API 端点未启用 CORS,因此在某些工作流程中会出现 CORS 错误。
我尝试在 Requestly 中添加一个类似这样的修改标头规则
但我随后收到以下错误消息
> 预检请求的响应未通过访问控制检查:当请求的凭据模式为“include”时,响应中的“Access-Control-Allow-Origin”标头的值不能为通配符“*”。
我该如何解决这个问题?
英文:
My app is available on app-123.company.aws.com So in order to make the development process faster, I use Requestly to redirect scripts & APIs to my local development. This works fine most of the time but some API endpoints don't have CORS enabled and hence in some workflows I get a CORS error.
I tried adding a Modify Headers Rule in Requestly like this
But I then got the following error
> Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'
How can I solve this?
答案1
得分: 1
请尝试在您的位置指令中添加以下内容:
if ($http_origin ~* "^https?://app-123/.company/.aws/.com$") {
add_header Access-Control-Allow-Origin $http_origin;
}
英文:
Try to add in your location directive
if ($http_origin ~* "^https?://app-123/.company/.aws/.com$") {
add_header Access-Control-Allow-Origin $http_origin;
}
答案2
得分: 1
正如错误指出的那样,当请求的凭证模式为include
时,不能将*
用作Access-Control-Allow-Origin
头的值。
当请求的凭证模式为include
时,它意味着请求携带了cookies或授权头。出于安全原因,服务器必须返回确切的来源,而不是*
作为Access-Control-Allow-Origin
的值。 参考这个SO回答
要解决这个错误,您可以简单地配置Modify Headers规则,如下所示:
Access-Control-Allow-Origin: https://app-123.company.aws.com
通过查看您的设置,我假设您的appId可能会发生变化,因此以防万一,您的来源也可能会发生变化。Requestly可以使用预定义函数rq_request_initiator_origin()
自动计算页面的来源。 参考这个GitHub问题
Access-Control-Allow-Origin: rq_request_initiator_origin()
在运行时,您将根据请求的发起位置获得响应头Access-Control-Allow-Origin
。因此,如果页面的来源是https://app-123.company.aws.com
,它将成为头的值。
英文:
As the error points out, you cannot use the *
as the value of the Access-Control-Allow-Origin header when the request's credentials mode is include
.
When a request's credentials mode is include
, it simply means the request is carrying either cookies or authorization headers. For security reasons, the server must return the exact origin instead of *
as the value of Access-Control-Allow-Origin
. Refer to this SO Answer
To solve this error, you can simply configure Modify Headers rule like this
Access-Control-Allow-Origin: https://app-123.company.aws.com
By looking at your setup, I assume your appId can change so Just in case, your origin can change. Requestly can automatically compute the page origin for you using a predefined function rq_request_initiator_origin()
. Refer to this GitHub Issue
Access-Control-Allow-Origin: rq_request_initiator_origin()
At the runtime, you will get a response header Access-Control-Allow-Origin
based on where the request originated So if the page origin is https://app-123.company.aws.com
it will be the value of the header.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论