javascript：尽管启用了cors，但访问跨源对象属性的权限被拒绝_Javascript_Nginx_Cors

javascript：尽管启用了cors，但访问跨源对象属性的权限被拒绝

javascript nginx cors

javascript：尽管启用了cors，但访问跨源对象属性的权限被拒绝,javascript,nginx,cors,Javascript,Nginx,Cors,我有一个网站“mydomain.com”，其中包含一个来自不同子域“sub.mydomain.com”的iframe，其中包含一个wordpress页面。页面中的一些js钩住了iframe的一些按钮： var target_height = parseInt(obj.contentWindow.document.body.scrollHeight); obj.style.height = target_height + 'px'; var iframeOffse

我有一个网站“mydomain.com”，其中包含一个来自不同子域“sub.mydomain.com”的iframe，其中包含一个wordpress页面。页面中的一些js钩住了iframe的一些按钮：

        var target_height = parseInt(obj.contentWindow.document.body.scrollHeight);
    obj.style.height = target_height + 'px'; 
    var iframeOffset = $(obj).offset();

我已将“sub.mydomain.com”上的nginx配置为以这种方式包括CORS头：

    location ^~ /wordpress {
            add_header 'Access-Control-Allow-Origin' "*" always;
            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT, HEAD';
            add_header 'Access-Control-Allow-Credentials' 'true' always;
            add_header 'Access-Control-Allow-Headers' 'User-Agent,Keep-Alive,Content-Type,Authorization,Origin,X-Requested-With,Accept,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;


            index index.php;
            alias /usr/share/webapps/wordpress/;

            if (!-e $request_filename) { rewrite ^ /wordpress/index.php last; }

            location ~ \.php$ {
                    if (!-f $request_filename) { return 404; }
                    include fastcgi.conf;
                    include fastcgi_params;
                    #fastcgi_intercept_errors on;
                    #fastcgi_buffers 16 16k;
                    #fastcgi_buffer_size 32k;
                    fastcgi_index index.php;

                    fastcgi_param SCRIPT_FILENAME $request_filename;
                    fastcgi_pass php;

            }

            location ~ \.(js|css|png|jpg|jpeg|gif|ico)$ {
                    expires max;
            }
    }

通过curl，我可以看到CORS标题包括：

curl https://sub.mydomain.com/wordpress/ -svo.

{ [5 bytes data]
< HTTP/1.1 200 OK
< Server: nginx/1.14.0
< Date: Wed, 22 May 2019 14:51:55 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/7.2.9
< Link: <https://sub.mydomain.com/wordpress/wp-json/>; rel="https://api.w.org/"
< Link: <https://sub.mydomain.com/wordpress/>; rel=shortlink
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PUT, HEAD
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: User-Agent,Keep-Alive,Content-Type,Authorization,Origin,X-Requested-With,Accept,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
< 
{ [15703 bytes data]
* Failed writing body (0 != 7952)
* Failed writing data
* Closing connection 0
} [5 bytes data]
* TLSv1.2 (OUT), TLS alert, close notify (256):
} [2 bytes data]

对应于

var target_height = parseInt(obj.contentWindow.document.body.scrollHeight);

编辑：下面是

curl-i-X选项的输出https://sub.mydomain.com/wordpress/

：

HTTP/1.1 200 Connection established
Set-Cookie: IPOCDSERVERID=id_srv-01; path=/

HTTP/1.1 405 Not Allowed
Server: nginx/1.14.0
Date: Wed, 22 May 2019 15:43:49 GMT
Content-Type: text/html
Content-Length: 173
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: User-Agent,Keep-Alive,Content-Type,Authorization,Origin,X-Requested-With,Accept,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range

<html>
<head><title>405 Not Allowed</title></head>
<body bgcolor="white">
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>

HTTP/1.1 200连接已建立
设置Cookie:IPOCDSERVERID=id_srv-01；路径=/
不允许使用HTTP/1.1 405
服务器：nginx/1.14.0
日期：2019年5月22日星期三15:43:49 GMT
内容类型：text/html
内容长度：173
连接：保持活力
访问控制允许来源：*
访问控制允许凭据：true
访问控制允许标头：用户代理、保持活动状态、内容类型、授权、来源、X-Requested-With、Accept、DNT、用户代理、X-Requested-With（如果自修改）、缓存控制、内容类型、范围
405不允许
405不允许
nginx/1.14.0

通过

如果你把它放在你的位置，它会看到这是一个飞行前的请求，并立即返回204。你必须使用所有不同的标题才能得到你想要的。

你试过

curl-i-X选项吗https://sub.mydomain.com/wordpress/

我在文章末尾的编辑中添加了该命令的输出，我应该在这里寻找什么？所以当你做飞行前检查时，它返回405，这意味着它失败了。CORS对iFrame之间的跨域通信没有影响。@Quentin所以我没有办法实现我想要的？除了更改iframe的域之外，这不会有任何帮助。浏览器一开始并没有发出飞行前的请求。你是对的@Quentin我错过了关于iframe的部分。

HTTP/1.1 200 Connection established
Set-Cookie: IPOCDSERVERID=id_srv-01; path=/

HTTP/1.1 405 Not Allowed
Server: nginx/1.14.0
Date: Wed, 22 May 2019 15:43:49 GMT
Content-Type: text/html
Content-Length: 173
Connection: keep-alive
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: User-Agent,Keep-Alive,Content-Type,Authorization,Origin,X-Requested-With,Accept,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range

<html>
<head><title>405 Not Allowed</title></head>
<body bgcolor="white">
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx/1.14.0</center>
</body>
</html>

if ($request_method = 'OPTIONS') {
    add_header 'Access-Control-Allow-Origin' '*';
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    #
    # Custom headers and headers various browsers *should* be OK with but aren't
    #
    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
    #
    # Tell client that this pre-flight info is valid for 20 days
    #
    add_header 'Access-Control-Max-Age' 1728000;
    add_header 'Content-Type' 'text/plain; charset=utf-8';
    add_header 'Content-Length' 0;
    return 204;
 }