ajax – CORS：当凭据标志为真时,不能在Access-Control-Allow-Or

前端服务器(Node.js，domain：localhost：3000)< --->后端(Django，Ajax，domain：localhost：8000)

浏览器< - webapp< - Node.js(服务应用程序) 浏览器(webapp) – > Ajax – > Django(服务ajax POST请求)

现在，我的问题是使用CORS设置，webapp使用它来对后端服务器进行Ajax调用。在chrome，我不断得到

Cannot use wildcard in Access-Control-Allow-Origin when credentials flag is true.

不工作在firefox也。

我的Node.js设置是：

var allowCrossDomain = function(req,res,next) {
    res.header('Access-Control-Allow-Origin','http://localhost:8000/');
    res.header('Access-Control-Allow-Credentials',true);
    res.header('Access-Control-Allow-Methods','GET,PUT,POST,DELETE');
    res.header("Access-Control-Allow-Headers","Origin,X-Requested-With,Content-Type,Accept");
    next();
};

在Django我使用this middleware along with this

webapp这样请求：

$.ajax({
    type: "POST",url: 'http://localhost:8000/blah',data: {},xhrFields: {
        withCredentials: true
    },crossDomain: true,dataType: 'json',success: successHandler
});

因此，webapp发送的请求头像：

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: "Origin,Accept"
Access-Control-Allow-Methods: 'GET,DELETE'
Content-Type: application/json 
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: csrftoken=***; sessionid="***"

这里是响应头：

Access-Control-Allow-Headers: Content-Type,*
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,GET,OPTIONS,DELETE
Content-Type: application/json

我在哪里错了？

编辑1：我一直在使用chrome –disable-web-security，但现在想要的东西实际上工作。

编辑2：答案：

所以，解决方案我django-cors-headers配置：

CORS_ORIGIN_ALLOW_ALL = False
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_WHITELIST = (
    'http://localhost:3000' # Here was the problem indeed and it has to be http://localhost:3000,not http://localhost:3000/
)