动态 Access-Control-Allow-Origin header 无服务器
dynamic Access-Control-Allow-Origin header serverless
我已经配置了一个无服务器功能,如下所示
id:
handler: id.get
events:
- http:
path: id
method: get
cors:
origin: ""
headers:
- Content-Type
- X-Amz-Date
- Authorization
- X-Api-Key
- X-Amz-Security-Token
- x-access-token
allowCredentials: true
我的处理函数中的代码如下
let headers = {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': event.headers.Origin ? event.headers.Origin : event.headers.origin,
'Access-Control-Allow-Credentials': true
}
callback(null, {
"isBase64Encoded": false,
"statusCode": 200,
"headers": headers,
"body": JSON.stringify(body),
"multiValueHeaders": multiValueHeaders
})
我收到对 OPTIONS 请求的响应
access-control-allow-origin: *
access-control-allow-credentials: true
因此出现以下错误
Access to XMLHttpRequest at 'https://example.com/dev/id' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
我希望 Access-Control-Allow-Origin 应该是动态的(请求的来源),我该如何解决这个问题?
我用下面的代码创建了一个新方法options
module.exports.options = async (event, context, callback) => {
const origin = event.headers.Origin || event.headers.origin;
context.succeed({
headers: {
"Access-Control-Allow-Headers": "Accept,Accept-Language,Content-Language,Content-Type,Authorization,x-correlation-id,x-access-token",
"Access-Control-Allow-Methods": "GET,HEAD,OPTIONS",
"Access-Control-Allow-Origin": origin ? origin : '*',
"Access-Control-Allow-Credentials": true
},
statusCode: 204
});
};
serverless.yml
options:
handler: id.options
events:
- http:
path: id
method: options
对此配置的更改:
id:
handler: id.get
events:
- http:
path: id
method: get
cors:
origin: "*"
headers:
- Content-Type
- X-Amz-Date
- Authorization
- X-Api-Key
- X-Amz-Security-Token
- x-access-token
allowCredentials: true
我已经配置了一个无服务器功能,如下所示
id:
handler: id.get
events:
- http:
path: id
method: get
cors:
origin: ""
headers:
- Content-Type
- X-Amz-Date
- Authorization
- X-Api-Key
- X-Amz-Security-Token
- x-access-token
allowCredentials: true
我的处理函数中的代码如下
let headers = {
'Content-Type': 'application/json',
'Access-Control-Allow-Origin': event.headers.Origin ? event.headers.Origin : event.headers.origin,
'Access-Control-Allow-Credentials': true
}
callback(null, {
"isBase64Encoded": false,
"statusCode": 200,
"headers": headers,
"body": JSON.stringify(body),
"multiValueHeaders": multiValueHeaders
})
我收到对 OPTIONS 请求的响应
access-control-allow-origin: *
access-control-allow-credentials: true
因此出现以下错误
Access to XMLHttpRequest at 'https://example.com/dev/id' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
我希望 Access-Control-Allow-Origin 应该是动态的(请求的来源),我该如何解决这个问题?
我用下面的代码创建了一个新方法options
module.exports.options = async (event, context, callback) => {
const origin = event.headers.Origin || event.headers.origin;
context.succeed({
headers: {
"Access-Control-Allow-Headers": "Accept,Accept-Language,Content-Language,Content-Type,Authorization,x-correlation-id,x-access-token",
"Access-Control-Allow-Methods": "GET,HEAD,OPTIONS",
"Access-Control-Allow-Origin": origin ? origin : '*',
"Access-Control-Allow-Credentials": true
},
statusCode: 204
});
};
serverless.yml
options:
handler: id.options
events:
- http:
path: id
method: options
对此配置的更改:
id:
handler: id.get
events:
- http:
path: id
method: get
cors:
origin: "*"
headers:
- Content-Type
- X-Amz-Date
- Authorization
- X-Api-Key
- X-Amz-Security-Token
- x-access-token
allowCredentials: true