浏览器阻止CORS请求,尽管访问控制允许原点设置正确
我们的供应商之一开发的Javascript需要向我们公司的服务发出跨源XMLHttpRequest请求。GET请求的URL(出于安全原因被模糊化)基本上类似于浏览器阻止CORS请求,尽管访问控制允许原点设置正确,cors,Cors,我们的供应商之一开发的Javascript需要向我们公司的服务发出跨源XMLHttpRequest请求。GET请求的URL(出于安全原因被模糊化)基本上类似于 https://infoservice.testcompany.com/ourservice/api/public/eventshash 不幸的是,此请求的选项预飞行失败,出现意外错误(Firefox控制台): 但是,当我分析请求时,我可以准确地找到错误消息中抱怨的头变量和值。稍微模糊的HAR输出: { "log": { "
https://infoservice.testcompany.com/ourservice/api/public/eventshash
不幸的是,此请求的选项预飞行失败,出现意外错误(Firefox控制台):
但是,当我分析请求时,我可以准确地找到错误消息中抱怨的头变量和值。稍微模糊的HAR输出:
{
"log": {
"version": "1.1",
"creator": {
"name": "Firefox",
"version": "62.0"
},
"browser": {
"name": "Firefox",
"version": "62.0"
},
"pages": [
{
"startedDateTime": "2018-09-20T06:44:28.458+02:00",
"id": "page_1",
"title": "Main page - Home",
"pageTimings": {
"onContentLoad": -1,
"onLoad": -1
}
}
],
"entries": [
{
"pageref": "page_1",
"startedDateTime": "2018-09-20T06:44:40.869+02:00",
"request": {
"bodySize": 0,
"method": "OPTIONS",
"url": "https://infoservice.testcompany.com/ourservice/api/public/eventshash",
"httpVersion": "HTTP/1.1",
"headers": [
{
"name": "Host",
"value": "infoservice.testcompany.com"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0"
},
{
"name": "Accept",
"value": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
},
{
"name": "Accept-Language",
"value": "de,en;q=0.7,en-US;q=0.3"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate, br"
},
{
"name": "Access-Control-Request-Method",
"value": "GET"
},
{
"name": "Access-Control-Request-Headers",
"value": "if-modified-since"
},
{
"name": "Origin",
"value": "https://mainpage.testcompany.com"
},
{
"name": "Connection",
"value": "keep-alive"
}
],
"cookies": [],
"queryString": [],
"headersSize": 484
},
"response": {
"status": 200,
"statusText": "OK",
"httpVersion": "HTTP/1.1",
"headers": [
{
"name": "Date",
"value": "Thu, 20 Sep 2018 04:44:40 GMT"
},
{
"name": "Cache-Control",
"value": "private"
},
{
"name": "Cache-Control",
"value": "max-age=10"
},
{
"name": "Access-Control-Allow-Origin",
"value": "https://mainpage.testcompany.com"
},
{
"name": "Access-Control-Allow-Credentials",
"value": "true"
},
{
"name": "Allow",
"value": "GET,HEAD,POST,OPTIONS"
},
{
"name": "Vary",
"value": "Origin"
},
{
"name": "Access-Control-Expose-Headers",
"value": "Accept-Language"
},
{
"name": "Access-Control-Allow-Headers",
"value": "if-modified-since"
},
{
"name": "Access-Control-Allow-Methods",
"value": "GET, HEAD, OPTIONS"
},
{
"name": "Accept-Language",
"value": "de,en;q=0.7,en-US;q=0.3"
},
{
"name": "Content-Length",
"value": "0"
},
{
"name": "Connection",
"value": "close"
},
{
"name": "Content-Type",
"value": "application/json"
}
],
"cookies": [],
"content": {
"mimeType": "application/json",
"size": 0,
"text": ""
},
"redirectURL": "",
"headersSize": 504,
"bodySize": 504
},
"cache": {},
"timings": {
"blocked": 23,
"dns": 0,
"connect": 11,
"ssl": 0,
"send": 0,
"wait": 14,
"receive": 0
},
"time": 48,
"_securityState": "secure",
"serverIPAddress": "192.168.0.1",
"connection": "443"
}
]
}
}
如你所见,我收到
{
"name": "Access-Control-Allow-Origin",
"value": "https://mainpage.testcompany.com"
},
这应该是正确的
在Apache中,我创建CORS头,如下所示:
<Files eventshash>
ForceType application/json
# Not needed, saves time:
Header unset ETag
FileETag None
# CORS:
SetEnvIf Origin "http.*\.testcompany\.com.*$" AccessControlAllowOrigin=$0
Header Always Set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header Append Vary Origin
Header Always Set Access-Control-Allow-Credentials true env=AccessControlAllowOrigin
Header set Access-Control-Expose-Headers "Accept-Language" env=AccessControlAllowOrigin
Header set Access-Control-Allow-Headers "if-modified-since" env=AccessControlAllowOrigin
Header set Access-Control-Allow-Methods "GET, HEAD, OPTIONS" env=AccessControlAllowOrigin
Header echo Accept-Language
</Files>
ForceType应用程序/json
#不需要,节省时间:
标题未设置ETag
FileTag无
#CORS:
SetEnvIf Origin“http.*\.testcompany\.com.*$”AccessControlAllowOrigin=$0
标头始终设置访问控制允许来源%{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
标题附加不同的来源
标头始终设置访问控制允许凭据true env=AccessControlAllowOrigin
标题集访问控制公开标题“接受语言”env=AccessControlAllowOrigin
Header set Access Control Allow Header“如果修改自”env=AccessControlAllowOrigin
标题集访问控制允许方法“GET,HEAD,OPTIONS”env=AccessControlAllowOrigin
报头回显接受语言
我可以在Firefox、IE11和Chrome中看到CORS阻塞错误。但我认为我的CORS标题是正确的,我完全不知道,在Web服务器的回复中还可能遗漏什么。啊,是的,我知道访问控制允许来源:“*”是坏的,因此我不使用它。只是为了完成我的输入
知道有什么遗漏/错误吗
cu,Steffen当服务器不接受来自其他域的请求时,会发生此错误 例如:如果我的服务器正在运行,并且我正在向其他服务器()发出get请求,并且test2服务器未配置为接受其他服务器请求,则会发生此类错误 在您的情况下,我认为您缺少apache文件中的安全条目
"http.*\.testcompany\.com.*$"
请把这个换成下面的
"https.*\.testcompany\.com.*$
当服务器不接受来自其他域的请求时,会发生此错误 例如:如果我的服务器正在运行,并且我正在向其他服务器()发出get请求,并且test2服务器未配置为接受其他服务器请求,则会发生此类错误 在您的情况下,我认为您缺少apache文件中的安全条目
"http.*\.testcompany\.com.*$"
请把这个换成下面的
"https.*\.testcompany\.com.*$
实际上,http.*和https.*都与
https://something
。因此,这不应该有任何区别。如果它还不匹配,那么行标题始终设置访问控制允许原点%{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
将不起作用。不管怎样,我现在就尝试了,结果是一样的。实际上http.*和https.*都匹配https://something
。因此,这不应该有任何区别。如果它还不匹配,那么行标题始终设置访问控制允许原点%{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
将不起作用。不管怎样,我现在就尝试了,结果是一样的。我经历了完全一样的事情,我对答案感到好奇和紧张!!!我正在经历完全相同的事情,我对答案感到好奇和紧张!!!