Header in the response must not be the wildcard '*' when the request's credentials mode is 'include'

sockjs / sockjs-node

WebSocket emulation - Node.js server

http://sockjs.org

MIT License

2.09k stars 309 forks source link

Header in the response must not be the wildcard '*' when the request's credentials mode is 'include' #227

Closed ghost closed 6 years ago

ghost commented 7 years ago

When using SockJS and trying to connect to a secured (Auth0) Spring Boot REST controller (localhost:8081) from an Angular 2 client (localhost:4200) I recieve the following error message:

The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'http://localhost:4200' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

This issue seems related to issue 177 but the error I recieve informs me that the credentials mode is set to 'include' and not about the credentials flag being true. I'm using the latest SockJS where the issue 177 should be resolved when looking at the node_modules\sockjs\Changelog.

Code and more explanation can be found on stackoverflow.

What could be causing this problem?

mswaidan commented 7 years ago

Am encountering the same problem. Did you ever find a solution @Samvherck ?

ghost commented 7 years ago

Seems like a SockJS bug so I went for a StompJS only solution (which seems almost to be identical).

import 'stompjs';
declare let Stomp:any;

@Injectable()
export class StompService { 

    url = 'http://localhost:8081/message/';
    stompUrl = 'ws://localhost:8081/message';
    stompClient;

    constructor() {}

    connectStomp(callback: (response) => void) {
    let self = this;

    let webSocket = new WebSocket(this.stompUrl);
    this.stompClient = Stomp.over(webSocket);

    this.stompClient.connect({}, function (frame) {
            self.stompClient.subscribe('/topic/messages', function (response) {
                callback(response);
            });
        });
    }

    sendStompMessage(content: string) {
        this.stompClient.send("/app/message", {}, "message");
    }
}

CaseyLeask commented 7 years ago

Here's a link to the MDN explanation of what's happening https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials, which covers both the XHR and 'Request' APIs.

The secured (Auth0) Spring Boot REST controller is not sending back a valid 'Access-Control-Allow-Origin' header for a request with credentials. These requests send cookies, and that's largely why * is not a valid value.

This doesn't look to be a XHR Request with credentials https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials, but instead it seems to be part of the 'Request' API https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials, based on the request's credentials mode is 'include'.

This means it could be a fetch call with credentials included https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#Sending_a_request_with_credentials_included

fengyueran commented 6 years ago

Am encountering the same problem. Did you ever find a solution @Samvherck ?

Manubi commented 6 years ago

Hi, was anyone of you successful? :) @fengyueran

brycekahle commented 6 years ago

If the Origin request header is non-null, then SockJS will not respond with *. Can you capture a request/response? It is likely something else is responding that is not SockJS.

brycekahle commented 6 years ago

Closing due to inactivity.

yanganok commented 5 years ago

how to do in asp.net core