{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 疯言疯语 的问题《Angular: A wildcard '*' cannot be used in》','https://www.manongdao.com/q-477261.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I know there are a lot of questions concerning CORS already but they don't seem to answer my question.
So I have a client app written in Angular which will be used to create a mobile app (with Apache Cordova). The html files and JavaScript files will be loaded from the mobile device.
When I simulate that and I send requests to the REST API server I first got
"No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:82' is therefore not allowed access".
So I added header("Access-Control-Allow-Origin: *"); in my php REST API Server. I cannot specify a specific domain as the requests will come from the mobile devices.
Now I got to "A wildcard '*' cannot be used in the 'Access-Control-Allow-Origin' header when the credentials flag is true."
I finally found a solution but I'm not sure it is safe to keep it like this.
In my php REST API Server I added this:
if (isset($_SERVER['HTTP_ORIGIN'])) {
header("Access-Control-Allow-Credentials: true");
header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']);
header("Access-Control-Allow-Headers: *, X-Requested-With, Content-Type");
header("Access-Control-Allow-Methods: GET, POST, DELETE, PUT");
}
Please advise on this way of working. If it is not secure or no good at all, can you please tell me how to solve this issue?
Thanks a lot!
Response should only have the accepted headers in Access-Control-Allow-Headers, don't use wildcard.
As far as it being safe, note the comment from @Jules in this post about CORS:
See also the following for examples:
Wildcard not accepted in Access-Control-Allow-Headers
Specify headers Access-Control-Allow-Headers
Alternative approach
You can just set the origin header to:
If you don't need to include cookies in your request remove:
Remove the wildcard from Access-Control-Allow-Headers and add Authorization and then pass that header as part of your request for authorization, instead of passing credentials in a cookie, ex:
Also, add the OPTIONS to allowed methods.