我正在http://localhost:8100上运行一个离子应用程序,该应用程序连接到http://localhost:3000上运行的快速后端。
像往常一样,我正面临着CORS问题。在chrome中禁用websecurity没有帮助。
Chrome报告的错误是:
(index):1 XMLHttpRequest cannot load http://localhost:3000/auth/facebook.
Response to preflight request doesn't pass access control check:
Credentials flag is 'true',
but the 'Access-Control-Allow-Credentials' header is ''.
It must be 'true' to allow credentials.
Origin 'http://localhost:8100' is therefore not allowed access.
Remote Address:[::1]:3000
Request URL:http://localhost:3000/auth/facebook
Request Method:OPTIONS
Status Code:200 OK
Response Headers
view source
Access-Control-Allow-Headers:accept, content-type
Access-Control-Allow-Methods:POST
Access-Control-Allow-Origin:http://localhost:8100
Access-Control-Max-Age:31536000
Connection:keep-alive
Content-Length:2
Content-Type:text/plain; charset=utf-8
Date:Wed, 04 Nov 2015 02:25:07 GMT
ETag:W/"2-d736d92d"
X-Powered-By:Express
Request Headers
view source
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:accept, content-type
Access-Control-Request-Method:POST
Connection:keep-alive
DNT:1
Host:localhost:3000
Origin:http://localhost:8100
Referer:http://localhost:8100/
第一个问题是: 我在请求标头中没有看到任何Access-Controll-Allow-Credentials标志,那么为什么chrome抱怨
第二个问题: 我尝试过使用CORS express模块但是没有用。我如何克服这个问题?
答案 0 :(得分:1)
我通过在nodejs服务器中包含以下中间件来解决此问题
var app = express();
app.use(methodOverride());
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({
extended: true
}));
app.use(accessControl);
其中函数accessControl如下所示:
function(req, res, next) {
var oneof = false;
if (req.headers.origin) {
res.header('Access-Control-Allow-Origin', req.headers.origin);
oneof = true;
}
if (req.headers['access-control-request-method']) {
res.header('Access-Control-Allow-Methods', req.headers['access-control-request-method']);
oneof = true;
}
if (req.headers['access-control-request-headers']) {
res.header('Access-Control-Allow-Headers', req.headers['access-control-request-headers']);
oneof = true;
}
if (oneof) {
res.header('Access-Control-Max-Age', 60 * 60 * 24 * 365);
}
if (req.originalUrl === '/auth/signup') {
res.header('Access-Control-Allow-Credentials', true);
}
if (req.originalUrl === '/auth/login') {
res.header('Access-Control-Allow-Credentials', true);
}
// intercept OPTIONS method
if (oneof && req.method === 'OPTIONS') {
res.sendStatus(200);
}
else {
next();
}
};
这不是一个优雅的解决方案,但它为我做了伎俩(至少在我找到更好的东西之前)