javascript:尽管启用了cors,但访问跨源对象属性的权限被拒绝
我有一个网站“mydomain.com”,其中包含一个来自不同子域“sub.mydomain.com”的iframe,其中包含一个wordpress页面。页面中的一些js钩住了iframe的一些按钮:javascript:尽管启用了cors,但访问跨源对象属性的权限被拒绝,javascript,nginx,cors,Javascript,Nginx,Cors,我有一个网站“mydomain.com”,其中包含一个来自不同子域“sub.mydomain.com”的iframe,其中包含一个wordpress页面。页面中的一些js钩住了iframe的一些按钮: var target_height = parseInt(obj.contentWindow.document.body.scrollHeight); obj.style.height = target_height + 'px'; var iframeOffse
var target_height = parseInt(obj.contentWindow.document.body.scrollHeight);
obj.style.height = target_height + 'px';
var iframeOffset = $(obj).offset();
我已将“sub.mydomain.com”上的nginx配置为以这种方式包括CORS头:
location ^~ /wordpress {
add_header 'Access-Control-Allow-Origin' "*" always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT, HEAD';
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type,Authorization,Origin,X-Requested-With,Accept,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
index index.php;
alias /usr/share/webapps/wordpress/;
if (!-e $request_filename) { rewrite ^ /wordpress/index.php last; }
location ~ \.php$ {
if (!-f $request_filename) { return 404; }
include fastcgi.conf;
include fastcgi_params;
#fastcgi_intercept_errors on;
#fastcgi_buffers 16 16k;
#fastcgi_buffer_size 32k;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass php;
}
location ~ \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
}
}
通过curl,我可以看到CORS标题包括:
curl https://sub.mydomain.com/wordpress/ -svo.
{ [5 bytes data]
< HTTP/1.1 200 OK
< Server: nginx/1.14.0
< Date: Wed, 22 May 2019 14:51:55 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/7.2.9
< Link: <https://sub.mydomain.com/wordpress/wp-json/>; rel="https://api.w.org/"
< Link: <https://sub.mydomain.com/wordpress/>; rel=shortlink
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PUT, HEAD
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: User-Agent,Keep-Alive,Content-Type,Authorization,Origin,X-Requested-With,Accept,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
<
{ [15703 bytes data]
* Failed writing body (0 != 7952)
* Failed writing data
* Closing connection 0
} [5 bytes data]
* TLSv1.2 (OUT), TLS alert, close notify (256):
} [2 bytes data]
对应于
var target_height = parseInt(obj.contentWindow.document.body.scrollHeight);
编辑:
下面是curl-i-X选项的输出https://sub.mydomain.com/wordpress/
:
HTTP/1.1 200 Connection established
Set-Cookie: IPOCDSERVERID=id_srv-01; path=/
HTTP/1.1 405 Not Allowed
Server: nginx/1.14.0
Date: Wed, 22 May 2019 15:43:49 GMT
Content-Type: text/html
Content-Length: 173
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: User-Agent,Keep-Alive,Content-Type,Authorization,Origin,X-Requested-With,Accept,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
<html>
<head><title>405 Not Allowed</title></head>
<body bgcolor="white">
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
HTTP/1.1 200连接已建立
设置Cookie:IPOCDSERVERID=id_srv-01;路径=/
不允许使用HTTP/1.1 405
服务器:nginx/1.14.0
日期:2019年5月22日星期三15:43:49 GMT
内容类型:text/html
内容长度:173
连接:保持活力
访问控制允许来源:*
访问控制允许凭据:true
访问控制允许标头:用户代理、保持活动状态、内容类型、授权、来源、X-Requested-With、Accept、DNT、用户代理、X-Requested-With(如果自修改)、缓存控制、内容类型、范围
405不允许
405不允许
nginx/1.14.0
通过
如果你把它放在你的位置,它会看到这是一个飞行前的请求,并立即返回204。你必须使用所有不同的标题才能得到你想要的。你试过
curl-i-X选项吗https://sub.mydomain.com/wordpress/
我在文章末尾的编辑中添加了该命令的输出,我应该在这里寻找什么?所以当你做飞行前检查时,它返回405,这意味着它失败了。CORS对iFrame之间的跨域通信没有影响。@Quentin所以我没有办法实现我想要的?除了更改iframe的域之外,这不会有任何帮助。浏览器一开始并没有发出飞行前的请求。你是对的@Quentin我错过了关于iframe的部分。
HTTP/1.1 200 Connection established
Set-Cookie: IPOCDSERVERID=id_srv-01; path=/
HTTP/1.1 405 Not Allowed
Server: nginx/1.14.0
Date: Wed, 22 May 2019 15:43:49 GMT
Content-Type: text/html
Content-Length: 173
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: User-Agent,Keep-Alive,Content-Type,Authorization,Origin,X-Requested-With,Accept,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
<html>
<head><title>405 Not Allowed</title></head>
<body bgcolor="white">
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}