解决CORS问题使用Chrome扩展程序

huangapple go评论62阅读模式
英文:

Solving CORS Issue using Chrome Extension

问题

我的应用程序可在 app-123.company.aws.com 上使用。为了加快开发过程,我使用 Requestly 将脚本和 API 重定向到我的本地开发环境。大部分时间都很顺利,但某些 API 端点未启用 CORS,因此在某些工作流程中会出现 CORS 错误。
我尝试在 Requestly 中添加一个类似这样的修改标头规则

但我随后收到以下错误消息

> 预检请求的响应未通过访问控制检查:当请求的凭据模式为“include”时,响应中的“Access-Control-Allow-Origin”标头的值不能为通配符“*”。

我该如何解决这个问题?
英文:

解决CORS问题使用Chrome扩展程序My app is available on app-123.company.aws.com So in order to make the development process faster, I use Requestly to redirect scripts & APIs to my local development. This works fine most of the time but some API endpoints don't have CORS enabled and hence in some workflows I get a CORS error.
I tried adding a Modify Headers Rule in Requestly like this

But I then got the following error

> Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'

How can I solve this?

答案1

得分: 1

请尝试在您的位置指令中添加以下内容:

if ($http_origin ~* "^https?://app-123/.company/.aws/.com$") {
    add_header Access-Control-Allow-Origin $http_origin;
}
英文:

Try to add in your location directive

if ($http_origin ~* "^https?://app-123/.company/.aws/.com$") {
    add_header Access-Control-Allow-Origin $http_origin;
}

答案2

得分: 1

正如错误指出的那样,当请求的凭证模式为include时,不能将*用作Access-Control-Allow-Origin头的值。

当请求的凭证模式为include时,它意味着请求携带了cookies或授权头。出于安全原因,服务器必须返回确切的来源,而不是*作为Access-Control-Allow-Origin的值。 参考这个SO回答

要解决这个错误,您可以简单地配置Modify Headers规则,如下所示:

Access-Control-Allow-Origin: https://app-123.company.aws.com

通过查看您的设置,我假设您的appId可能会发生变化,因此以防万一,您的来源也可能会发生变化。Requestly可以使用预定义函数rq_request_initiator_origin()自动计算页面的来源。 参考这个GitHub问题

Access-Control-Allow-Origin: rq_request_initiator_origin()

在运行时,您将根据请求的发起位置获得响应头Access-Control-Allow-Origin。因此,如果页面的来源是https://app-123.company.aws.com,它将成为头的值。

英文:

As the error points out, you cannot use the * as the value of the Access-Control-Allow-Origin header when the request's credentials mode is include.

When a request's credentials mode is include, it simply means the request is carrying either cookies or authorization headers. For security reasons, the server must return the exact origin instead of * as the value of Access-Control-Allow-Origin. Refer to this SO Answer

To solve this error, you can simply configure Modify Headers rule like this

Access-Control-Allow-Origin: https://app-123.company.aws.com

解决CORS问题使用Chrome扩展程序

By looking at your setup, I assume your appId can change so Just in case, your origin can change. Requestly can automatically compute the page origin for you using a predefined function rq_request_initiator_origin(). Refer to this GitHub Issue

Access-Control-Allow-Origin: rq_request_initiator_origin()

At the runtime, you will get a response header Access-Control-Allow-Origin based on where the request originated So if the page origin is https://app-123.company.aws.com it will be the value of the header.

huangapple
  • 本文由 发表于 2023年5月29日 04:11:23
  • 转载请务必保留本文链接:https://go.coder-hub.com/76353422.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定