Express JSON负载中的URL会导致CORS问题
我有一个GraphQL后端和一个应用程序的React前端。CORS策略设置为仅允许前端Express JSON负载中的URL会导致CORS问题,express,cors,Express,Cors,我有一个GraphQL后端和一个应用程序的React前端。CORS策略设置为仅允许前端https://my.server:443访问后端https://my.server:4444而且它工作得很好……大多数时候 My Express.js服务器按如下方式启动: server.start( { cors: { credentials: true, origin: [ "https://my.server" ] }, }, (d
https://my.server:443https://my.server:4444server.start(
{
cors: {
credentials: true,
origin: [ "https://my.server" ]
},
},
(deets) => {
console.log(`Server is now running on port http://localhost:${deets.port}`);
}
);
OPTIONS / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Referer: https://my.server/qualifications
Origin: https://my.server
Connection: keep-alive
TE: Trailers
OPTIONS / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Referer: https://my.server/qualifications
Origin: https://my.server
Connection: keep-alive
TE: Trailers
HTTP/2 204 No Content
date: Thu, 15 Oct 2020 12:16:25 GMT
x-powered-by: Express
access-control-allow-origin: https://my.server
vary: Origin, Access-Control-Request-Headers
access-control-allow-credentials: true
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-headers: content-type
X-Firefox-Spdy: h2
HTTP/2 403 Forbidden
server: awselb/2.0
date: Thu, 15 Oct 2020 12:16:25 GMT
content-type: text/html
content-length: 118
X-Firefox-Spdy: h2
HTTP/2 204 No Content
date: Thu, 15 Oct 2020 13:07:41 GMT
x-powered-by: Express
access-control-allow-origin: https://my.server
vary: Origin, Access-Control-Request-Headers
access-control-allow-credentials: true
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-headers: content-type
X-Firefox-Spdy: h2
HTTP/2 200 OK
date: Thu, 15 Oct 2020 13:07:41 GMT
content-type: application/json
content-length: 173
x-powered-by: Express
access-control-allow-origin: https://my.server
vary: Origin
access-control-allow-credentials: true
X-Firefox-Spdy: h2
POST / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 616
Origin: https://my.server
Referer: https://my.server/qualifications
Connection: keep-alive
Cookie: token=eyJhbGc<removed-jwt>gmWVO_I68
TE: Trailers
POST / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 560
Origin: https://my.server
Referer: https://my.server/qualifications
Connection: keep-alive
Cookie: token=eyJhbG<removed-jwt>WVO_I68
TE: Trailers
OPTIONS / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Referer: https://my.server/qualifications
Origin: https://my.server
Connection: keep-alive
TE: Trailers
OPTIONS / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Referer: https://my.server/qualifications
Origin: https://my.server
Connection: keep-alive
TE: Trailers
HTTP/2 204 No Content
date: Thu, 15 Oct 2020 12:16:25 GMT
x-powered-by: Express
access-control-allow-origin: https://my.server
vary: Origin, Access-Control-Request-Headers
access-control-allow-credentials: true
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-headers: content-type
X-Firefox-Spdy: h2
HTTP/2 403 Forbidden
server: awselb/2.0
date: Thu, 15 Oct 2020 12:16:25 GMT
content-type: text/html
content-length: 118
X-Firefox-Spdy: h2
HTTP/2 204 No Content
date: Thu, 15 Oct 2020 13:07:41 GMT
x-powered-by: Express
access-control-allow-origin: https://my.server
vary: Origin, Access-Control-Request-Headers
access-control-allow-credentials: true
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-headers: content-type
X-Firefox-Spdy: h2
HTTP/2 200 OK
date: Thu, 15 Oct 2020 13:07:41 GMT
content-type: application/json
content-length: 173
x-powered-by: Express
access-control-allow-origin: https://my.server
vary: Origin
access-control-allow-credentials: true
X-Firefox-Spdy: h2
POST / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 616
Origin: https://my.server
Referer: https://my.server/qualifications
Connection: keep-alive
Cookie: token=eyJhbGc<removed-jwt>gmWVO_I68
TE: Trailers
POST / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 560
Origin: https://my.server
Referer: https://my.server/qualifications
Connection: keep-alive
Cookie: token=eyJhbG<removed-jwt>WVO_I68
TE: Trailers
- 请求的JSON负载如何影响CORS
- 我的Express server CORS配置中是否缺少某些内容
- 在有效负载中发送URL是否存在某种一般性问题
- 如果是,是否有建议的解决办法?(我只是想在前端对其进行base64编码/解码,但这样做似乎“不对”)
任何提示都将不胜感激 我们今天偶然发现了一个类似的问题 事实证明,在我们的案例中,这是由拒绝请求的WAF配置引起的。我们在分析WAF采样和负载平衡器日志后发现了这一点 祝你好运