Nginx 使用带有凭据的 CORS
Nginx using CORS with credentials
我正在构建一个通过 Nginx 服务器与 Laravell API 通信的 Web 应用程序。我尝试按照 wide open cors Nginx 网站上的说明进行操作,但它不喜欢发送凭据时的通配符响应。
Access to fetch at 'https://api.***.com/' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '' when the request's credentials mode is 'include'.
API 服务器需要 Bearer 访问令牌进行身份验证,并且每个端点都位于服务器上自己的路径中。这种场景下Nginx的正确配置方式是什么?
错误信息是对的,你不能使用通配符来源 and credentials:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
For requests without credentials, the literal value "*" can be specified, as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials will result in an error.
相反,只需传回实际来源,即到达来源 HTTP header 的来源,那么它将始终匹配:
add_header Access-Control-Allow-Origin $http_origin always;
我正在构建一个通过 Nginx 服务器与 Laravell API 通信的 Web 应用程序。我尝试按照 wide open cors Nginx 网站上的说明进行操作,但它不喜欢发送凭据时的通配符响应。
Access to fetch at 'https://api.***.com/' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '' when the request's credentials mode is 'include'.
API 服务器需要 Bearer 访问令牌进行身份验证,并且每个端点都位于服务器上自己的路径中。这种场景下Nginx的正确配置方式是什么?
错误信息是对的,你不能使用通配符来源 and credentials:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
For requests without credentials, the literal value "
*" can be specified, as a wildcard; the value tells browsers to allow requesting code from any origin to access the resource. Attempting to use the wildcard with credentials will result in an error.
相反,只需传回实际来源,即到达来源 HTTP header 的来源,那么它将始终匹配:
add_header Access-Control-Allow-Origin $http_origin always;