Access to fetch at 'http://localhost:8001/bos/orders/count' from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
以上意思是 当请求的凭据模式为“include”时,响应中的标头不能是通配符“*” , 顾名思义,当 credentials: 'include' 时, 请求头 Access-Control-Allow-Origin 不能是*
Access-Control-Allow-Credentials是请求header,表示请求的响应是否可以暴露于该页面。当true值返回时它可以被暴露。凭证是 Cookie ,授权标头或 TLS 客户端证书。
解决方法:去掉该请求头, 但是此举会使 cookie 和 session失效
允许凭证:
Access-Control-Allow-Credentials: true
使用 XHR 凭证:
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://example.com/', true);
xhr.withCredentials = true;
xhr.send(null);
使用提取凭证:
fetch(url, {
credentials: 'include'
})