遇到带 Access-Control-Allow-Origin: *， 还会跨域报错的情况

 

Access to fetch at 'http://localhost:8001/bos/orders/count' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

以上意思是 当请求的凭据模式为“include”时，响应中的标头不能是通配符“*” ， 顾名思义，当 credentials: 'include' 时， 请求头 Access-Control-Allow-Origin 不能是*

Access-Control-Allow-Credentials是请求header，表示请求的响应是否可以暴露于该页面。当true值返回时它可以被暴露。凭证是 Cookie ，授权标头或 TLS 客户端证书。

解决方法：去掉该请求头, 但是此举会使 cookie 和 session失效

允许凭证：

Access-Control-Allow-Credentials: true

使用 XHR 凭证：

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://example.com/', true); 
xhr.withCredentials = true; 
xhr.send(null);

使用提取凭证：

fetch(url, {
  credentials: 'include'  
})