ECORS
grpc
config_error
ai_generated
true
内部错误:gRPC-Web:源 http://example.com 的 CORS 预检因凭据标志失败
INTERNAL: grpc-web: CORS preflight failed for origin http://example.com with credentials flag
ID: grpc/grpc-web-cors-credentials
88%修复率
90%置信度
1证据数
2024-07-10首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Envoy v1.29.0 | active | — | — | — |
| gRPC-Web v1.4.2 | active | — | — | — |
| gRPC-Web v1.5.0 | active | — | — | — |
| Istio v1.21.0 | active | — | — | — |
根因分析
浏览器强制执行 CORS 预检检查失败,因为当客户端发送 withCredentials: true 时,服务器未包含 Access-Control-Allow-Credentials 标头。
English
Browser enforces CORS preflight check fails because the server doesn't include Access-Control-Allow-Credentials header when the client sends withCredentials: true.
官方文档
https://github.com/grpc/grpc-web/blob/master/doc/cors.md解决方案
-
配置代理(Envoy/NGINX)显式返回 Access-Control-Allow-Credentials: true 和 Access-Control-Allow-Origin: http://example.com。
-
如果 RPC 不需要身份验证,从客户端移除 `withCredentials: true`。
无效尝试
常见但无效的做法:
-
Disabling CORS entirely in the browser
99% 失败
Browsers enforce CORS; it cannot be disabled by client code.
-
Adding Access-Control-Allow-Origin: * only
90% 失败
With credentials, the origin must be explicit, not wildcard.