CORS another one
devtools console helps:
Access to XMLHttpRequest at 'http://localhost:8443/api/essay/6' from origin 'http://localhost:8082' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Access to fetch at 'http://localhost:8443/graphql' from origin 'http://localhost:8082' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.
login:109 Access to fetch at 'http://localhost:8443/graphql' from origin 'http://localhost:8082' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
но cors нужен чтобы делать запросы к другим доменам!
Access to fetch at 'http://localhost:8443/graphql' from origin 'http://localhost:8082' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
@CrossOrigin("http://localhost:8082") on controller can be added) instead of config
https://stackoverflow.com/questions/58026768/enable-cors-origin-graphql
preflight reguest must return allowed-origin header!
html can configure cors policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
https://web.dev/referrer-best-practices/
https://developer.chrome.com/blog/referrer-policy-new-chrome-default/#implement-an-explicit-privacy-enhancing-policy-across-your-site
https://www.baeldung.com/spring-security-cors-preflight
https://www.baeldung.com/spring-cors
Cross-origin requests, in short, are HTTP requests where the origin and the target of the request are different. This is the case, for instance, when a web application is served from one domain and the browser sends an AJAX request to a server in another domain.
To manage cross-origin requests, the server needs to enable a particular mechanism known as CORS, or Cross-Origin Resource Sharing.
The first step in CORS is an OPTIONS request to determine whether the target of the request supports it. This is called a pre-flight request.
The server can then respond to the pre-flight request with a collection of headers:
Access-Control-Allow-Origin: Defines which origins may have access to the resource. A ‘*' represents any origin
Access-Control-Allow-Methods: Indicates the allowed HTTP methods for cross-origin requests
Access-Control-Allow-Headers: Indicates the allowed request headers for cross-origin requests
Access-Control-Max-Age: Defines the expiration time of the result of the cached preflight request
So, if the pre-flight request doesn't meet the conditions determined from these response headers, the actual follow-up request will throw errors related to the cross-origin request.
.cors().and() - корс поддержку надо включать - тк корс это чтобы браузеру бэк ответил мол с этого домена запросы разрешаются
// .cors().disable()
@Configuration
@EnableWebMvc
public class WebConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
// registry.addMapping("/graphql/**")
// registry.addMapping("/graphql")
registry.addMapping("/**")
.exposedHeaders(CorsConfiguration.ALL)
// .allowedOrigins(CorsConfiguration.ALL)
.allowedOrigins("http://localhost:8082")
.allowedHeaders(CorsConfiguration.ALL)
.allowedMethods(CorsConfiguration.ALL);
// registry.addMapping("/**")
// .allowedMethods("*")
;
}
Комментарии
Отправить комментарий