Fatal编程技术网
  • cors/
  • 浏览器阻止CORS请求,尽管访问控制允许原点设置正确

浏览器阻止CORS请求,尽管访问控制允许原点设置正确

cors

浏览器阻止CORS请求,尽管访问控制允许原点设置正确,cors,Cors,我们的供应商之一开发的Javascript需要向我们公司的服务发出跨源XMLHttpRequest请求。GET请求的URL(出于安全原因被模糊化)基本上类似于 https://infoservice.testcompany.com/ourservice/api/public/eventshash 不幸的是,此请求的选项预飞行失败,出现意外错误(Firefox控制台): 但是,当我分析请求时,我可以准确地找到错误消息中抱怨的头变量和值。稍微模糊的HAR输出: { "log": { "

我们的供应商之一开发的Javascript需要向我们公司的服务发出跨源XMLHttpRequest请求。GET请求的URL(出于安全原因被模糊化)基本上类似于

https://infoservice.testcompany.com/ourservice/api/public/eventshash
不幸的是,此请求的选项预飞行失败,出现意外错误(Firefox控制台):

但是,当我分析请求时,我可以准确地找到错误消息中抱怨的头变量和值。稍微模糊的HAR输出:

{
  "log": {
    "version": "1.1",
    "creator": {
      "name": "Firefox",
      "version": "62.0"
    },
    "browser": {
      "name": "Firefox",
      "version": "62.0"
    },
    "pages": [
      {
        "startedDateTime": "2018-09-20T06:44:28.458+02:00",
        "id": "page_1",
        "title": "Main page - Home",
        "pageTimings": {
          "onContentLoad": -1,
          "onLoad": -1
        }
      }
    ],
    "entries": [
      {
        "pageref": "page_1",
        "startedDateTime": "2018-09-20T06:44:40.869+02:00",
        "request": {
          "bodySize": 0,
          "method": "OPTIONS",
          "url": "https://infoservice.testcompany.com/ourservice/api/public/eventshash",
          "httpVersion": "HTTP/1.1",
          "headers": [
            {
              "name": "Host",
              "value": "infoservice.testcompany.com"
            },
            {
              "name": "User-Agent",
              "value": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0"
            },
            {
              "name": "Accept",
              "value": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
            },
            {
              "name": "Accept-Language",
              "value": "de,en;q=0.7,en-US;q=0.3"
            },
            {
              "name": "Accept-Encoding",
              "value": "gzip, deflate, br"
            },
            {
              "name": "Access-Control-Request-Method",
              "value": "GET"
            },
            {
              "name": "Access-Control-Request-Headers",
              "value": "if-modified-since"
            },
            {
              "name": "Origin",
              "value": "https://mainpage.testcompany.com"
            },
            {
              "name": "Connection",
              "value": "keep-alive"
            }
          ],
          "cookies": [],
          "queryString": [],
          "headersSize": 484
        },
        "response": {
          "status": 200,
          "statusText": "OK",
          "httpVersion": "HTTP/1.1",
          "headers": [
            {
              "name": "Date",
              "value": "Thu, 20 Sep 2018 04:44:40 GMT"
            },
            {
              "name": "Cache-Control",
              "value": "private"
            },
            {
              "name": "Cache-Control",
              "value": "max-age=10"
            },
            {
              "name": "Access-Control-Allow-Origin",
              "value": "https://mainpage.testcompany.com"
            },
            {
              "name": "Access-Control-Allow-Credentials",
              "value": "true"
            },
            {
              "name": "Allow",
              "value": "GET,HEAD,POST,OPTIONS"
            },
            {
              "name": "Vary",
              "value": "Origin"
            },
            {
              "name": "Access-Control-Expose-Headers",
              "value": "Accept-Language"
            },
            {
              "name": "Access-Control-Allow-Headers",
              "value": "if-modified-since"
            },
            {
              "name": "Access-Control-Allow-Methods",
              "value": "GET, HEAD, OPTIONS"
            },
            {
              "name": "Accept-Language",
              "value": "de,en;q=0.7,en-US;q=0.3"
            },
            {
              "name": "Content-Length",
              "value": "0"
            },
            {
              "name": "Connection",
              "value": "close"
            },
            {
              "name": "Content-Type",
              "value": "application/json"
            }
          ],
          "cookies": [],
          "content": {
            "mimeType": "application/json",
            "size": 0,
            "text": ""
          },
          "redirectURL": "",
          "headersSize": 504,
          "bodySize": 504
        },
        "cache": {},
        "timings": {
          "blocked": 23,
          "dns": 0,
          "connect": 11,
          "ssl": 0,
          "send": 0,
          "wait": 14,
          "receive": 0
        },
        "time": 48,
        "_securityState": "secure",
        "serverIPAddress": "192.168.0.1",
        "connection": "443"
      }
    ]
  }
}
如你所见,我收到

{
    "name": "Access-Control-Allow-Origin",
    "value": "https://mainpage.testcompany.com"
},
这应该是正确的

在Apache中,我创建CORS头,如下所示:

<Files eventshash>
ForceType application/json
# Not needed, saves time:
Header unset ETag
FileETag None

# CORS:
SetEnvIf Origin "http.*\.testcompany\.com.*$" AccessControlAllowOrigin=$0
Header Always Set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header Append Vary Origin
Header Always Set Access-Control-Allow-Credentials true env=AccessControlAllowOrigin
Header set Access-Control-Expose-Headers "Accept-Language" env=AccessControlAllowOrigin
Header set Access-Control-Allow-Headers "if-modified-since" env=AccessControlAllowOrigin
Header set Access-Control-Allow-Methods "GET, HEAD, OPTIONS" env=AccessControlAllowOrigin
Header echo Accept-Language
</Files>


ForceType应用程序/json
#不需要,节省时间:
标题未设置ETag
FileTag无
#CORS:
SetEnvIf Origin“http.*\.testcompany\.com.*$”AccessControlAllowOrigin=$0
标头始终设置访问控制允许来源%{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
标题附加不同的来源
标头始终设置访问控制允许凭据true env=AccessControlAllowOrigin
标题集访问控制公开标题“接受语言”env=AccessControlAllowOrigin
Header set Access Control Allow Header“如果修改自”env=AccessControlAllowOrigin
标题集访问控制允许方法“GET,HEAD,OPTIONS”env=AccessControlAllowOrigin
报头回显接受语言
我可以在Firefox、IE11和Chrome中看到CORS阻塞错误。但我认为我的CORS标题是正确的,我完全不知道,在Web服务器的回复中还可能遗漏什么。啊,是的,我知道访问控制允许来源:“*”是坏的,因此我不使用它。只是为了完成我的输入

知道有什么遗漏/错误吗

cu,Steffen

当服务器不接受来自其他域的请求时,会发生此错误

例如:如果我的服务器正在运行,并且我正在向其他服务器()发出get请求,并且test2服务器未配置为接受其他服务器请求,则会发生此类错误

在您的情况下,我认为您缺少apache文件中的安全条目

"http.*\.testcompany\.com.*$"
请把这个换成下面的

"https.*\.testcompany\.com.*$
当服务器不接受来自其他域的请求时,会发生此错误

例如:如果我的服务器正在运行,并且我正在向其他服务器()发出get请求,并且test2服务器未配置为接受其他服务器请求,则会发生此类错误

在您的情况下,我认为您缺少apache文件中的安全条目

"http.*\.testcompany\.com.*$"
请把这个换成下面的

"https.*\.testcompany\.com.*$
实际上,http.*和https.*都与
https://something
。因此,这不应该有任何区别。如果它还不匹配,那么行
标题始终设置访问控制允许原点%{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
将不起作用。不管怎样,我现在就尝试了,结果是一样的。实际上http.*和https.*都匹配
https://something
。因此,这不应该有任何区别。如果它还不匹配,那么行
标题始终设置访问控制允许原点%{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
将不起作用。不管怎样,我现在就尝试了,结果是一样的。我经历了完全一样的事情,我对答案感到好奇和紧张!!!我正在经历完全相同的事情,我对答案感到好奇和紧张!!!