科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - Express CORS subdomain - Stack Overflow

    javascript - Express CORS subdomain - Stack Overflow

    programmeradmin1浏览0评论

    I have a site —— that makes calls to an API ——. The API is written in Express, and its using CORS package to allow the requests from the site:

    app.use(
    cors({
        credentials: true,
        origin: "",
    })
);

    The site can be accessed via or via . As you see, in the API am allowing explicitly the requests ing from the former address, but not from the latter. So if anyone access it via the latter address the requests to the API will be rejected.

    What is the usual way to solve that? Allow explicitly both and ? Or maybe there is a way to ignore the subdomain www?

    Thanks in advance!

    --

    EDIT:

    As proposed I added explicitly to the cors configuration

    app.use(
    cors({
        credentials: true,
        origin: ["", ""],
    })
);

    But this didn't work. As a workaround what I just did is to redirect with a rewrite condition in .htaccess file —Apache server— from www domain to non www domain.

    But the question now is: why even allowing www.example didnt work? Is there any mon reason for that?

    I have a site —https://example.— that makes calls to an API —https://api.example.—. The API is written in Express, and its using CORS package to allow the requests from the site:

    app.use(
    cors({
        credentials: true,
        origin: "https://example.",
    })
);

    The site can be accessed via https://example. or via https://www.example.. As you see, in the API am allowing explicitly the requests ing from the former address, but not from the latter. So if anyone access it via the latter address the requests to the API will be rejected.

    What is the usual way to solve that? Allow explicitly both https://example. and https://www.example.? Or maybe there is a way to ignore the subdomain www?

    Thanks in advance!

    --

    EDIT:

    As proposed I added https://www.example. explicitly to the cors configuration

    app.use(
    cors({
        credentials: true,
        origin: ["https://example.", "https://www.example."],
    })
);

    But this didn't work. As a workaround what I just did is to redirect with a rewrite condition in .htaccess file —Apache server— from www domain to non www domain.

    But the question now is: why even allowing www.example. didnt work? Is there any mon reason for that?

    • javascript
    • node.js
    • express
    • cors
    Share Improve this question edited Jul 5, 2019 at 8:36 asked Jul 5, 2019 at 8:11 user7499416user7499416 5
    • If the site can be accessed at both https://example. and https://www.example., then in your npm-cors config, you need to explicitly allow both https://example. and https://www.example.. There’s no other way to ignore/handle https://www.example.. – sideshowbarker Commented Jul 5, 2019 at 8:19
    • You can specify a regular expression like https://(www.)example. for the npm-cors ‘origin’ value, but the effect of that is gonna be the same as if you just specified an array with the explicit values. And in the end the effect is anyway going to be that the server either sends back https://example. as the explicit value, or it sends back https://www.example.. Browsers treat the value literally — unless the value is the * wildcard. And of course as an alternative to specifying allowed origins, you always have the option to specify the * wildcard for the ‘origin’ config value – sideshowbarker Commented Jul 5, 2019 at 8:25
    • Ok, then I will set them explicitly. Thanks! – user7499416 Commented Jul 5, 2019 at 8:28
    • Hm, setting them explicitly didn't work. As a workaround what I just did is to redirect with a rewrite condition in .htaccess file —Apache server— from www domain to non www domain. But the question now is: even allowing www.example., why didnt work? I update the question – user7499416 Commented Jul 5, 2019 at 8:35
    • Have you tried using regular expressions? – ionizer Commented Jul 5, 2019 at 9:03
    Add a ment  | 

    2 Answers 2

    Reset to default 2

    The usual way would be to avoid having two websites on different origins with identical content.

    Configure www.example. to issue an HTTP 301 redirect to example..

    Allow explicitly both https://example. and https://www.example.?

    That would work too. origin can be passed an array.

    Or maybe there is a way to ignore the subdomain www?

    origin can also be passed a regular expression.

    You need to allow both domains. The API for doing this is a bit plicated. Basically you need to read the documentation of the CORS package:

    app.use(
    cors({
        credentials: true,
        origin: function (origin callback) {
            switch (origin) {
                case "https://example.":
                case "https://www.example.":
                    callback(null, true); // allow these domains
                    break;
                default:
                    callback(new Error('Now allowed')); // block others
            }
        },
    })
);

    The value of origin can only be either a string or your own custom logic implemented as a function.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论