javascript 允许在 express js 中使用多个 CORS 域
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26988071/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Allow multiple CORS domain in express js
提问by Ajey
How do I allow multiple domains for CORS in express in a simplified way.
如何以简化的方式在 express 中允许 CORS 的多个域。
I have
我有
cors: {
origin: "www.one.com";
}
app.all('*', function(req, res, next) {
res.header("Access-Control-Allow-Origin", cors.origin);
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
next();
});
This works when there is only one domain mentioned in origin
这在只有一个域时有效 origin
But if I want to have originas an array of domains and I want to allow CORS for all the domains in the origin array, I would have something like this -
但是如果我想拥有origin一个域数组,并且我想为原始数组中的所有域允许 CORS,我会有这样的 -
cors: {
origin: ["www.one.com","www.two.com","www.three.com"];
}
But then the problem is this below code would not work -
但问题是下面的代码不起作用 -
app.all('*', function(req, res, next) {
res.header("Access-Control-Allow-Origin", cors.origin);
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
next();
});
How do I make res.headertake an array of domains via cors.origin?
如何通过res.header获取域数组cors.origin?
回答by Johannes Reuter
I would recommend the cors-module: https://www.npmjs.org/package/corsIt does this kind of stuff for you - check the "Configuring CORS w/ Dynamic Origin"-Section
我会推荐 cors 模块:https://www.npmjs.org/package/cors 它为你做这种事情 - 检查“使用动态源配置 CORS”-部分
回答by Ashrith
Lets understand how this header works. "Access-Control-Allow-Origin" accepts only a string. So to make it dynamic you need to get the requesting host from the http header. Check it against your array of authorised domains. If it's present then add that as a value to the header, else adding a default value will prohibit unauthorised domains from accessing the API.
让我们了解这个标题是如何工作的。“Access-Control-Allow-Origin”只接受一个字符串。因此,要使其动态化,您需要从 http 标头中获取请求主机。根据您的授权域数组检查它。如果存在,则将其作为值添加到标头中,否则添加默认值将禁止未经授权的域访问 API。
There is no native implementation for this. You can do it yourself using the code below.
对此没有本机实现。您可以使用下面的代码自己完成。
cors: {
origin: ["www.one.com","www.two.com","www.three.com"],
default: "www.one.com"
}
app.all('*', function(req, res, next) {
var origin = cors.origin.indexOf(req.header('origin').toLowerCase()) > -1 ? req.headers.origin : cors.default;
res.header("Access-Control-Allow-Origin", origin);
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
next();
});
回答by lugy90
In fact, Access-Control-Allow-Origin?header should be the same value as the?Origin?header as long as you want to allow it.
实际上,Access-Control-Allow-Origin?header 应该与?Origin?header 的值相同,只要您想允许它。
So base on your code just
所以基于你的代码
cors: {
origin: ["www.one.com","www.two.com","www.three.com"]
}
app.all('*', function(req, res, next) {
let origin = req.headers.origin;
if(cors.origin.indexOf(origin) >= 0){
res.header("Access-Control-Allow-Origin", origin);
}
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
next();
});
