-2 
const csrfProtection = csrf({ 
    cookie: { 
      domain: '.' + config_web.domain,
      secure: true,
      httpOnly: true,
      //sameSite: 'none'
    }, 
});

app.use(expresssession({
   store: new RedisStore({ client: redisClient }),
   secret: 'keyboard cat',
   resave: false,
   saveUninitialized: false,
   cookie: { 
     domain: '.' + config_web.domain, 
     maxAge: parseInt(cookiesTime), 
     secure: true, 
     httpOnly: true 
   }
}));

const corsOptions = {
  origin: ['https://api.domain.com', 'https://main.domain.com'],
  methods: 'POST',
  credentials: true,
  allowedHeaders: '*',//['Content-Type', 'Authorization', 'X-Requested-With'],
  optionsSuccessStatus: 200
}

app.use(cors(corsOptions));

我有主站点https://main.domain.com并将通过https://api.domain.com调用 api 。分离两个子域后,从 csrf 调用 api 总是失败。我想知道我是否设置错误的任何 cookie 内容?

4

1 回答 1

-2 
$.ajax({
   url: a_cross_domain_url,
   xhrFields: {
      withCredentials: true
   }
});

刚刚发现在前端添加 xhrFields 然后工作

于 2020-09-14T13:09:51.077 回答