在 nodejs 中为多个域启用 Access-Control-Allow-Origin
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24897801/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Enable Access-Control-Allow-Origin for multiple domains in nodejs
提问by Ali
I'm trying to allow CORS in node.js but the problem is that I can't set *to Access-Control-Allow-Originif Access-Control-Allow-Credentialsis set.
我试图在 node.js 中允许 CORS,但问题是我无法设置*为Access-Control-Allow-Originif Access-Control-Allow-Credentials。
Also the specification said I can't do an array or comma separated value for Access-Control-Allow-Originand the suggested method would be to do something similar to this Access-Control-Allow-Origin Multiple Origin Domains?
规范还说我不能为数组或逗号分隔值,Access-Control-Allow-Origin建议的方法是执行类似于此Access-Control-Allow-Origin Multiple Origin Domains 的操作?
But I can't seem to do this way in node.js
但我似乎无法在 node.js 中这样做
["http://mydomain.com:9001", "http://mydomain.com:5001"].map(function(domain) {
res.setHeader( "Access-Control-Allow-Origin", domain );
});
res.header( "Access-Control-Allow-Credentials", true );
The problem here is that it's bein override by the last value in the array, so the header will be set to res.setHeader( "Access-Control-Allow-Origin", "http://mydomain.com:5001" );
这里的问题是它被数组中的最后一个值覆盖,所以标题将被设置为 res.setHeader( "Access-Control-Allow-Origin", "http://mydomain.com:5001" );
Error from the client browser:
来自客户端浏览器的错误:
XMLHttpRequest cannot load http://mydomain.com:9090/api/sync. The 'Access-Control-Allow-Origin' header has a value 'http://mydomain.com:5001' that is not equal to the supplied origin. Origin 'http://mydomain.com:9001' is therefore not allowed access.
XMLHttpRequest 无法加载http://mydomain.com:9090/api/sync。'Access-Control-Allow-Origin' 标头的值 ' http://mydomain.com:5001' 不等于提供的来源。因此,不允许访问源“ http://mydomain.com:9001”。
回答by Chandru
Here is what I use in my express application to allow multiple origins
这是我在快速应用程序中使用的允许多个来源的内容
app.use(function(req, res, next) {
var allowedOrigins = ['http://127.0.0.1:8020', 'http://localhost:8020', 'http://127.0.0.1:9000', 'http://localhost:9000'];
var origin = req.headers.origin;
if(allowedOrigins.indexOf(origin) > -1){
res.setHeader('Access-Control-Allow-Origin', origin);
}
//res.header('Access-Control-Allow-Origin', 'http://127.0.0.1:8020');
res.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
res.header('Access-Control-Allow-Credentials', true);
return next();
});
回答by Matt
Not sure if this is to late but I solved it by setting:
res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
不确定这是否为时已晚,但我通过设置解决了它:
res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
This will simply allow every connection as the headers.origin will be sent with every query.
这将简单地允许每个连接,因为 headers.origin 将随每个查询一起发送。
You may want to write a function to check if the req.headers.origin is a whitelisted domain (from a hardcoded array) and the simply return this domain if it exists in the array.
您可能想要编写一个函数来检查 req.headers.origin 是否是白名单域(来自硬编码数组),如果该域存在于数组中,则简单地返回该域。
回答by Ross The Boss
Check your whitelist against what your req.headers.origin e.g.
根据您的 req.headers.origin 检查您的白名单,例如
var origins = ['a.com', 'b.com', 'c.com', 'boobies.com'];
for(var i=0;i<origins.length;i++){
var origin = origins[i];
if(req.headers.origin.indexOf(origin) > -1){
res.setHeader('Access-Control-Allow-Origin', req.headers.origin);
return;
}
// else, tough cookies.
}
Enjoy.
享受。
回答by Alan L.
Here's a simple middleware function to serve up the correct CORS header from a whitelist. Setting this near the top of your express app will allow all your routes to set the proper header from the whitelist before serving up content.
这是一个简单的中间件函数,用于从白名单中提供正确的 CORS 标头。将它设置在你的 express 应用程序的顶部附近将允许你的所有路由在提供内容之前从白名单中设置正确的标题。
app.use(function(req, res, next){
var whitelist = ['localhost:4000', 'localhost:3000', 'anydomain.com']
var host = req.get('host');
whitelist.forEach(function(val, key){
if (host.indexOf(val) > -1){
res.setHeader('Access-Control-Allow-Origin', host);
}
})
next();
});
