[TIL] 211222

Lee Syong·2021년 12ė›” 22ėž
TILcors
0

TIL

ëŠĐ록 ëģīęļ°
126/204
post-thumbnail

📝 ė˜Ī늘 한 ęēƒ

  1. CORS ė—ëŸŽ í•īęē°

📚 ë°°ėšī ęēƒ

1. 배폎

1) CORS ė—ëŸŽ

(1) ė—ëŸŽ ë‚īėšĐ

  • ėī렇ęēŒ ėž‘ė„ąí•˜ëĐī, ėžë°˜ 로ę·ļėļė„ 하ëĐī 프로필 ė‚Žė§„ėī ė•ˆ ëģīė˜€ë‹Ī. (현ėžŽ ėƒíƒœ)
    net::ERR_BLOCKED_BY_RESPONSE.NotSameOriginAfterDefaultedToSameOriginByCoep 200
// server.js
app.use((req, res, next) => {
  res.header("Cross-Origin-Embedder-Policy", "require-corp");
  res.header("Cross-Origin-Opener-Policy", "same-origin");
  next();
});
//- header.pug & profile.pug
if loggedInUser.socialOnly 
  img(src=loggedInUser.avatarUrl, crossorigin).profile-img
  • ėī렇ęēŒ ėž‘ė„ąí•˜ëĐī, github 로ę·ļėļė„ 하ëĐī 프로필 ė‚Žė§„ėī ė•ˆ ëģīė˜€ë‹Ī. (ėˆ˜ė • ė „ ėƒíƒœ)
    ~ ~ ~ has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. GET https://avatars.githubusercontent.com/u/~ ~ ~ net::ERR_FAILED 200
// server.js
app.use((req, res, next) => {
  res.header("Cross-Origin-Embedder-Policy", "credentialless");
  res.header("Cross-Origin-Opener-Policy", "same-origin");
  next();
});
//- header.pug & profile.pug
if loggedInUser.socialOnly 
  img(src=loggedInUser.avatarUrl, crossorigin="use-credentials").profile-img

(2) ė—ëŸŽ í•īęē°

  • Cross-Origin-Embedder-Policy: credentialless
  • img crossorigin
  • fetch(url, { mode: "cors" })

ėžë°˜ 로ę·ļėļė„ í•ī도 github 로ę·ļėļė„ í•ī도 프로필 ė‚Žė§„ėī ëŠĻ두 ėž˜ 뜮ë‹Ī.

app.use((req, res, next) => {
  res.header("Cross-Origin-Embedder-Policy", "credentialless");
  res.header("Cross-Origin-Opener-Policy", "same-origin");
  next();
});
//- header.pug & profile.pug
if loggedInUser.socialOnly 
  img(src=loggedInUser.avatarUrl, crossorigin).profile-img
// userController.js
export const finishGithubLogin = async (req, res) => {
  // ėĪ‘ëžĩ
  
  if ("access_token" in tokenRequest) {
    const { access_token } = tokenRequest;
    const apiUrl = "https://api.github.com";
    const userData = await (
      await fetch(`${apiUrl}/user`, {
        mode: "cors", // ėķ”ę°€ ❗
        headers: {
          Authorization: `token ${access_token}`,
        },
      })
    ).json();
    
  // ėĪ‘ëžĩ
};

(3) ė°ļęģ  ėžëĢŒ

ęĩė°Ļ ėķœėē˜ ëĶŽė†ŒėŠĪ ęģĩėœ  (CORS)
Making your website "cross-origin isolated" using COOP and COEP
Load cross-origin resources without CORP headers using COEP: credentialless

나흘 간 ė• ëĻđė˜€ë˜ ė—ëŸŽëĨž ęē°ęĩ­ í•īęē°í–ˆė§€ë§Œ ęļ°ėĻëģīë‹Ļ 허ëŽīí•Ļėī 더 큰 ęą° 같ë‹Ī.
ė§„ė§œ ëģ„ė˜ ëģ„ ęąļ ë‹Ī ė°ūė•„ė„œ í•īëīĪė—ˆëŠ”데 ęē°ęĩ­ ėī렇ęēŒ í•īęē°í•˜ë‹Ī니.
credentials true ëŽļė œë„ allow header ëŽļė œë„ origin ëŽļė œë„ ė „ëķ€ ė•„니ė—ˆë‹Ī.
ę·ļ래도 ė§ˆëŽļėœžëĄœ ë‚ĻęēĻ두ė§€ ė•Šęģ  ęē°ęĩ­ í•īęē°í•īė„œ 후ë Ļ하ë‹Ī.

ę·ļ 밖ė— ė˜Ī늘 ė°ļęģ í–ˆë˜(ė‚―ė§ˆí–ˆë˜) ėžëĢŒë“Ī
Contents-Type Header ė™€ Accept Headerė˜ ė°Ļėīė 
Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
MDN - XMLHttpRequest
Using XMLHttpRequest

📝 ë‚īėž 할 ęēƒ

  1. ėē˜ėŒëķ€í„° ëģĩėŠĩ
profile
Lee Syong
ëŠĨ동ė ėœžëĄœ ė‚īėž, 행ëģĩ하ęēŒðŸ˜
ėīė „ 폎ėŠĪíŠļ

[TIL] 211221

ë‹ĪėŒ 폎ėŠĪíŠļ

[TIL] 211223

0개ė˜ 댓ęļ€