Menu
I have set up a node server with socket io turning and trying to connect to it through another server. However some browsers on different computers give me this error and makes it reconnect the whole time:
XMLHttpRequest cannot load https://serverDomain.net:3000/socket.io/?EIO=3&transport=polling&t=Lo_SdiU. The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. Origin 'https://www.differentServerDomain.fr' is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
my js config:
var port = 3000; var fs = require('fs'); var https = require('https'); var express = require('express'); var app = express(); var options = { key: fs.readFileSync('/etc/letsencrypt/live/devpeter.net/privkey.pem'), cert: fs.readFileSync('/etc/letsencrypt/live/devpeter.net/fullchain.pem') }; var server = https.createServer(options, app); var io = require('socket.io')(server); io.origins('https://www.differentServerDomain.fr:* https://www.differentServerDomain.fr/wp-admin/index.php:*'); // start of server server.listen(port, function(){ console.log('listening on *: '+ port + "\n"); }); I am using node 8.0 and socket io 2.2, Your help will be greatly appreciated.
EDIT: here is the client code:
<script src="https://serverDomain.net:3000/socket.io/socket.io.js"></script> <script> var socket = io('https://serverDomain.net:3000'); </script> 
592
Run the following command to confirm the origin server returns the Access-Control-Allow-Origin header. Replace example.com with the required origin header. Replace https://www.example.net/video/call/System.generateId.dwr with the URL of the resource that's returning the header error.
If the server is under your control, add the origin of the requesting site to the set of domains permitted access by adding it to the Access-Control-Allow-Origin header's value. You can also configure a site to allow any site to access it by using the * wildcard. You should only use this for public APIs.
WebSocket doesn't come with CORS inbuilt. That being said, it means that any website can connect to any other website's websocket connection and communicate without any restriction! I'm not going into reasons why this is the way it is, but a quick fix to this is to verify Origin header on the websocket handshake.
I have found a solution. for some reason the default transportation method is not always allowed by all servers.
So i specified a neutral transportation method at the client side, like this:
var socket = io('https://yourDomain:3000', { transports : ['websocket'] }); If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With