跨域事件源

发布于 2024-11-15 02:51:52 字数 417 浏览 3 评论 0原文

我正在尝试使用nodejs 创建一个EventSource 服务器,它将服务器跨域请求。我正在发回 Access-Control-Allow-Origin 标头,但浏览器(Chrome 或 Opera 也不是)不允许我连接。我发回了一些标头:

this._response.writeHead(200, {
    'Content-Type': 'text/event-stream',
    'Cache-Control': 'no-cache',
    'Connection': 'keep-alive',
    'Access-Control-Allow-Origin': '*',
    'Access-Control-Allow-Credentials': 'true'
});

我怎样才能正确地做到这一点?

问候

I am trying to create an EventSource server using nodejs, that will server requests cross domain. I am sending back Access-Control-Allow-Origin header, but the browser (nor Chrome or Opera) won`t let me connect. There are the headers I send back:

this._response.writeHead(200, {
    'Content-Type': 'text/event-stream',
    'Cache-Control': 'no-cache',
    'Connection': 'keep-alive',
    'Access-Control-Allow-Origin': '*',
    'Access-Control-Allow-Credentials': 'true'
});

How can I do this the right way?

Regards

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

不弃不离 2024-11-22 02:51:53

Allow-Credentials 不能与 Allow-Origin 设置为 * 一起使用。
考虑在您的响应中写入收到的 Origin-header。

Allow-Credentials cannot be used with Allow-Origin set to *.
Consider writing the received Origin-header in your response.

以往的大感动 2024-11-22 02:51:53

参见 https://github.com/Yaffle/EventSource - 可以采用polyfill来支持Firefox的CORS, Webkit 和 IE 8+

see https://github.com/Yaffle/EventSource - polyfill can be adopted to support CORS for Firefox, Webkit and IE 8+

殊姿 2024-11-22 02:51:53

尝试使用以下块代替您的块。浏览器将使用 OPTIONS 调用一次,然后将按预期发出请求。

如果您已经分解了请求方法,则不需要 if 语句 - 但我想给您一个完整的块,以防万一您像 Hello World 例子就是这样。

if (req.method === "OPTIONS") {
    console.log('!OPTIONS');
    var headers = {};
    // IE8 does not allow domains to be specified, just the *
    // headers["Access-Control-Allow-Origin"] = req.headers.origin;
    headers["Access-Control-Allow-Origin"] = "*";
    headers["Access-Control-Allow-Methods"] = "POST, GET, PUT, DELETE, OPTIONS";
    headers["Access-Control-Allow-Credentials"] = false;
    headers["Access-Control-Max-Age"] = '86400'; // 24 hours
    headers["Access-Control-Allow-Headers"] = "X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept";
    res.writeHead(200, headers);
    res.end();
}

Try the following block in place of yours. The browser will call one time with OPTIONS and then the request will be made as expected after that.

You won't need the if statement if you have broken out the request methods - but I wanted to give you a full block just in case you're hosting it like the Hello World example did.

if (req.method === "OPTIONS") {
    console.log('!OPTIONS');
    var headers = {};
    // IE8 does not allow domains to be specified, just the *
    // headers["Access-Control-Allow-Origin"] = req.headers.origin;
    headers["Access-Control-Allow-Origin"] = "*";
    headers["Access-Control-Allow-Methods"] = "POST, GET, PUT, DELETE, OPTIONS";
    headers["Access-Control-Allow-Credentials"] = false;
    headers["Access-Control-Max-Age"] = '86400'; // 24 hours
    headers["Access-Control-Allow-Headers"] = "X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept";
    res.writeHead(200, headers);
    res.end();
}
纵山崖 2024-11-22 02:51:53

如果您使用跨域资源,您会收到安全异常(SECURITY_ERR:DOM 异常18)。这可能是由于:

  1. 尝试通过 file:// 访问本地资源(本地文件不通过节点服务器提供)或
  2. 尝试从另一台不允许 CORS 的服务器访问资源,或者
  3. 您正在测试来自本地文件的页面,而不是来自节点服务器提供的 URL 的页面。

You get Security Exception (SECURITY_ERR: DOM Exception 18) if you are using cross domain resources. This could be due to :

  1. trying to access local resources via file:// (local files not served via node server) or
  2. trying to access resources from another server that does not allow CORS or
  3. maybe you are testing the page from the local file instead of from the URL served from your node server.
酒儿 2024-11-22 02:51:53

注意:响应 凭据请求请求时,服务器必须Access-Control-Allow-Origin标头的值中指定来源,而不是指定“*”通配符。

https://developer.mozilla.org/en-US/ docs/Web/HTTP/CORS#simple_requests

所以:(

res.setHeader('Access-Control-Allow-Origin', req.headers.origin)
res.setHeader('Access-Control-Allow-Credentials', 'true')

服务器端)

如果客户端的来源 (req.headers.origin) 是受信任的。


或者只需设置 {withCredentials: false} (客户端)并使用 res.setHeader( 'Access-Control-Allow-Origin', '*') 如果您不需要它。

Note: When responding to a credentialed requests request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the "*" wildcard.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests

So:

res.setHeader('Access-Control-Allow-Origin', req.headers.origin)
res.setHeader('Access-Control-Allow-Credentials', 'true')

(server-side)

if client's origin (req.headers.origin) is trusted.


Or simply set {withCredentials: false} (client-side) and use res.setHeader('Access-Control-Allow-Origin', '*') if you don't need it.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文