如何在没有CORS预检的情况下向Stripe端点发出POST请求
尝试向Node中的Stripe端点发出基本POST请求:
const https = require('https');
const options = {
hostname: 'connect.stripe',
port: 443,
path: '/oauth/token',
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
}
}
const req = https.request(
options, res =>
res.on('data', d =>
process.stdout.write(d))
)
req.write(data) // client_secret=stripe_sk&grant_type=authorization_code...
req.end()
The response
Failed to load :
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:3000' is therefore not allowed access.
The response had HTTP status code 400. If an opaque response serves your needs,
set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
server.js
const express = require('express');
const next = require('next');
const nextI18NextMiddleware = require('next-i18next/middleware');
const nextI18next = require('./i18n');
const app = next({ dev: process.env.NODE_ENV !== 'production' });
const routes = require('./routes');
const handler = routes.getRequestHandler(app);
(async () => {
await app.prepare();
const server = express();
nextI18NextMiddleware(nextI18next, app, server);
server.get('*', (req, res) => handler(req, res));
await server.listen(3000);
console.log('Ready on http://localhost:3000');
})();
Wild guess
看起来像是默默地修改标题的东西,它不是一个简单的POST,而是一个带有一些额外标题的POST,它会触发CORS preflight
规则。
使用Postman我得到预期的结果,问题出在标题中。
如何了解影响我的POST请求的内容?任何提示将不胜感激!
HTTP 303
Request URL:
Request Method: GET
Status Code: 303
Remote Address: 54.187.119.242:443
Referrer Policy: strict-origin-when-cross-origin
content-length: 0
content-security-policy:
location: =%2Foauth%2Ftoken
referrer-policy: strict-origin-when-cross-origin
request-id: 1550537522-mreq_9XV0Kp3XVIJYPq
server: nginx
status: 303
strict-transport-security: max-age=31556926; includeSubDomains; preload
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-ua-compatible: IE=Edge,chrome=1
Provisional headers are shown
DNT: 1
Referer: http://localhost:3000/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
OPTIONS request
Request URL:
Request Method: OPTIONS
Status Code: 303
Remote Address: 54.187.119.242:443
Referrer Policy: no-referrer-when-downgrade
content-length: 0
content-security-policy: default-src
location: =%2Foauth%2Ftoken
referrer-policy: strict-origin-when-cross-origin
request-id: 1550537522-mreq_9XV0Kp3XVIJYPq
server: nginx
status: 303
strict-transport-security: max-age=31556926; includeSubDomains; preload
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-ua-compatible: IE=Edge,chrome=1
Provisional headers are shown
Access-Control-Request-Headers: access-control-allow-headers
Access-Control-Request-Method: POST
DNT: 1
Origin: http://localhost:3000
Referer: http://localhost:3000/profile/edit?code=ac_EYThaA5LNla8&state=35N1UGuPHac9
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
回答如下:
你需要将Access-Control-Allow-Origin
设置为*
对于Firebase云功能,您可以这样做......
res.header('Content-Type', 'application/json');
res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Headers', 'Content-Type');
if (req.method === 'OPTIONS') {
res.status(204).send('');
}
但是,我不确定您使用的是哪个服务器,因此我无法提供确切的代码。