const csrfProtection = csrf({
cookie: {
domain: '.' + config_web.domain,
secure: true,
httpOnly: true,
//sameSite: 'none'
},
});
app.use(expresssession({
store: new RedisStore({ client: redisClient }),
secret: 'keyboard cat',
resave: false,
saveUninitialized: false,
cookie: {
domain: '.' + config_web.domain,
maxAge: parseInt(cookiesTime),
secure: true,
httpOnly: true
}
}));
const corsOptions = {
origin: ['https://api.domain.com', 'https://main.domain.com'],
methods: 'POST',
credentials: true,
allowedHeaders: '*',//['Content-Type', 'Authorization', 'X-Requested-With'],
optionsSuccessStatus: 200
}
app.use(cors(corsOptions));
我有主网站https://main.domain.com并将通过调用apihttps://api.domain.com.在分离两个子域之后,csrf的api调用总是失败的。我想知道有没有饼干我放错了?
$.ajax({
url: a_cross_domain_url,
xhrFields: {
withCredentials: true
}
});
刚刚发现在前端添加xhrFields,然后工作