laravel 带有 allowcredentials 的通配符 CORS 为真
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24531864/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Wildcard CORS with allowcredentials true
提问by iamjonesy
I have a project where I'm using wildcard subdomains like user.mysite.comwhere username is a wildcard.
我有一个项目,我在其中使用通配符子域,例如user.mysite.com用户名是通配符。
In my server (PHP) I've set the following headers:
在我的服务器 (PHP) 中,我设置了以下标头:
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Credentials: true');
This allows me to do ajax calls from the frontend since I don't know what the domain is going to be. However I also need my cookies to be sent with the requests for maintaining sessions but when I tell AngularJS on my frontend to send the credentials I get the following message:
这允许我从前端进行 ajax 调用,因为我不知道域将是什么。但是,我还需要将 cookie 与维护会话的请求一起发送,但是当我告诉前端的 AngularJS 发送凭据时,我收到以下消息:
A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true
I understand this is for security reasons but now I have no way of session management in my app. Can anyone suggest a workaround for this?
我知道这是出于安全原因,但现在我无法在我的应用程序中进行会话管理。任何人都可以为此提出解决方法吗?
Where I tell Angular to send credentials:
我告诉 Angular 发送凭据的地方:
$httpProvider.defaults.withCredentials = true;
My ajax requests are being send to a different subdomain. ie the url could be billy.mysite.combut the ajax requests are being sent to api.mysite.com.
我的 ajax 请求被发送到不同的子域。即 url 可能是,billy.mysite.com但 ajax 请求正在发送到api.mysite.com.
回答by Koushik Samanta
@iamjonesy - You have done silly mistake.
@iamjonesy - 你犯了愚蠢的错误。
"A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true"
To avoid the above error just follow the steps. Suppose your api server is http://api.com. And your UI server, from where you executing ajax call, is http://ui.com
为避免上述错误,只需按照以下步骤操作即可。假设您的 api 服务器是http://api.com。您执行 ajax 调用的 UI 服务器是http://ui.com
PHP header code should be like,
PHP 标头代码应该是这样的,
header('Access-Control-Allow-Origin: http://ui.com');
header('Access-Control-Allow-Credentials: true');
Put the below line in angular config.js
将以下行放在 angular config.js 中
$httpProvider.defaults.withCredentials = true;
What I did, never set "*" as wild character to $httpProvider.defaults.withCredentials,just mention full domain name from where the ajax code is reside.
我所做的,从未将“ *”设置为$httpProvider.defaults.withCredentials 的通配符,只需提及 ajax 代码所在的完整域名。
回答by kojo
PeeHaais correct in the comments:
PeeHaa在评论中是正确的:
Just fetch the host of the current request and use that instead of the wildcard
只需获取当前请求的主机并使用它而不是通配符
That is, do something like:
也就是说,做这样的事情:
header('Access-Control-Allow-Origin: '.$requestHeaders['Host']);
header('Access-Control-Allow-Origin: '.$requestHeaders['Host']);
Don't do is this way!
不要这样做!
This is what you've asked for exactly and it solves the problem. Basically, the equivalent of header('Access-Control-Allow-Origin: *');However, this will create a huge security hole.
这正是您所要求的,它解决了问题。基本上相当于header('Access-Control-Allow-Origin: *');不过,这会造成巨大的安全漏洞。
Doing this will effectively mean that any site your user enters will be able to do anything on behalf of your user without his consent or notice since you relay the Access-Control-Allow-Originwith whatever host is sent andallow this host to transmit the original user's cookie (if it is set in the browser for your API).
这样做实际上意味着您的用户进入的任何站点都可以在没有他的同意或通知的情况下代表您的用户做任何事情,因为您Access-Control-Allow-Origin使用发送的任何主机中继并允许该主机传输原始用户的 cookie(如果它是在浏览器中为您的 API 设置)。
Instead, before relaying you should alwaysfilter the hosts. Implement some kind of whitelist-checking or regexp-checking and only if it passes, relay the Hostto Access-Control-Allow-Origin.
相反,在中继之前,您应该始终过滤主机。实施某种白名单检查或正则表达式检查,只有通过时,才会Host将Access-Control-Allow-Origin.
