api - 如果 CORS header ‘Access-Control-Allow-Origin’ 为 ‘*’ 且 CORS 请求未成功，则不支持凭据

Question

我正在尝试使用 django 应用程序在 angularjs 中获取 api 数据。当我尝试访问 api 时出现错误 - Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*' and CORS request did not succeed。 API 托管在单独的 Django 应用程序中。

    INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'Bigflow.Core',

    'rest_framework',
    'Bigflow.API',
    'rest_framework.authtoken',
    'corsheaders'
    ]

MIDDLEWARE = [
    'corsheaders.middleware.CorsMiddleware',

    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]


 CORS_ORIGIN_ALLOW_ALL = True  # i teried false using CORS_ORIGIN_WHITELIST = (
    'localhost:8001',
)
    CORS_ALLOW_CREDENTIALS = True # i tried both false and true

我的 js

 this.api = function () {
 var response =    $http.get("http://127.0.0.1:8000/Schedule_Master?Entity_gid=1&Action=FOLLOWUP_REASON&Schedule_Type_gid=1",{headers: {
        'Authorization': 'Token 7111*******************',
        'Accept': 'application/json',
        'Access-Control-Allow-Origin':'*'

    }})
    return response;
    }

我尝试了很多来自 stackoverflow 的解决方案。我无法解决我的问题，或者我想更改我的 api 托管服务器(Django 应用程序)中的任何配置。请指导我。提前致谢

Answer 1

此错误应该与 Access-Control-Allow-Origin 设置有关。

CORS_ORIGIN_ALLOW_ALL = True 肯定会导致问题。(检查以下链接)

所以除了localhost:8001，尝试将http://127.0.0.1:8001也加入白名单，或许可以解决这个问题。浏览器将 localhost 和 127.0.0.1 视为不同的域。

Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’

The CORS request was attempted with the credentials flag set, but the server is configured using the wildcard ("*") as the value of Access-Control-Allow-Origin, which doesn't allow the use of credentials.

To correct this problem on the client side, simply ensure that the credentials flag's value is false when issuing your CORS request.

If the request is being issued using XMLHttpRequest, make sure you're not setting withCredentials to true.

If using Server-sent events, make sure EventSource.withCredentials is false (it's the default value).

If using the Fetch API, make sure Request.credentials is "omit".

If, instead, you need to adjust the server's behavior, you'll need to change the value of Access-Control-Allow-Origin to grant access to the origin from which the client is loaded.