public function behaviors(): array
{
$behaviors = parent::behaviors();
// 配置跨域
$behaviors['corsFilter'] = [
'class' => Cors::class,
'cors' => [
'Origin' => ['*'],
'Access-Control-Request-Methods' => ['*'],
'Access-Control-Request-Headers' => ['*'],
'Access-Control-Allow-Credentials' => true,
]
];
return $behaviors;
}
遇到跨域问题,绝大多数反馈的信息都是要求在后端接口进行这样的配置,但是在Yii2框架下,后端会反馈错误:
Error: Allowing credentials for wildcard origins is insecure. Please specify more restrictive origins or set 'credentials' to false in your CORS configuration.
at service.interceptors.response.use.code.code
我一直都无法理解为什么,有时候我把credentials = false,也成功了
'Access-Control-Allow-Credentials' => false,
后来我查到了这篇说明,https://www.cnblogs.com/kudo-shini/p/13840118.html,原来是授权太过了。
上面的错误提示,是告诉你使用通配符的凭证是不安全的,让你设置更严格的 Origin
或者把 Access-Control-Allow-Credentials
设置为 false
这个网址有时候打不开,这里再记录一下,以便以后查找解决
'corsFilter' => [
'class' => Cors::class,
'cors' => [
'Origin'=> ['http://localhost:8080'],
'Access-Control-Request-Method' => ['*'],
'Access-Control-Request-Headers' => ['*'],
'Access-Control-Allow-Credentials' => true,
'Access-Control-Max-Age' => 3600,
'Access-Control-Expose-Headers' => ['Content-Type, Content-Length, Authorization, Accept, X-Requested-With'],
]
]
上边配置的解释
Origin
即Access-Control-Allow-Origin
表示 响应头指定了该响应的资源是否被允许与给定的origin共享。Access-Control-Request-Method
用于通知服务器在真正的请求中会采用哪种 HTTP 方法。因为预检请求所使用的方法总是 OPTIONS ,与实际请求所使用的方法不一样,所以这个请求头是必要的。Access-Control-Request-Headers
用于通知服务器在真正的请求中会采用哪些请求头。Access-Control-Allow-Credentials
表示是否可以将对请求的响应暴露给页面。返回true则可以,其他值均不可以。Access-Control-Max-Age
表示返回结果(即Access-Control-Allow-Methods
和Access-Control-Allow-Headers
提供的信息) 可以被缓存多久。Access-Control-Expose-Headers
列出了哪些首部可以作为响应的一部分暴露给外部。
最终,我的跨域设置为
public function behaviors(): array
{
$behaviors = parent::behaviors();
// 配置跨域
$behaviors['corsFilter'] = [
'class' => Cors::class,
'cors' => [
'Origin' => ['http://localhost:*'],
'Access-Control-Request-Methods' => ['*'],
'Access-Control-Request-Headers' => ['*'],
'Access-Control-Allow-Credentials' => true,
'Access-Control-Allow-Headers' => ['content-type'],
]
];
return $behaviors;
}