将 CORS 设置为传入请求 IP

Question

我正在使用 IBM HTTP Server 9.0.0.7。 有一个计划的集成，其中用户通过 chrome 设置请求。 httpd.conf 包含以下内容

<VirtualHost *:443>
 SSLEnable
 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 Header set Access-Control-Allow-Origin "*"
 Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE,PATCH,OPTIONS"
 Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, 
 Access-Control-Request-Method, Access-Control-Request-Headers, Credentials"
 Header set Access-Control-Allow-Credentials "true"
</VirtualHost>

浏览器允许初始登录请求，但随后的 ajax 请求被 CORS 阻止 抛出的错误是

Access to XMLHttpRequest at 'https://someip/api?select=category,description' from origin 'http://localhost:38359' has been blocked by CORS policy: 
Response to preflight request doesn't pass access control check: 
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. 
The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

由于集成是基于浏览器的。即用户将通过浏览器访问 API。我认为解决方案是将Header set Access-Control-Allow-Origin设置为传入的请求IP。

知道如何做到这一点。 顺便说一句，除了可以更改 HTTP 服务器设置之外，我无法控制此集成。

Answer 1

它想要发起 XHR 请求的源，它在错误消息中：http://localhost:38359

如果您需要支持不带 * 的多个来源（由于使用凭据），您需要使其以 Origin: 标头作为输入为条件。

例如：

SetEnvIf Origin "http(s)?://(localhost:38359)$" ACAO=$0
SetEnvIf Origin "http(s)?://(some-other-origin-allowed)$" ACAO=$0
Header always set Access-Control-Allow-Origin %{ACAO}e env=ACAO