跨源请求和混合内容仅在Firefox上 [英] Cross origin request and mixed-content only on Firefox
问题描述
我正在处理一个需要HTTPS的项目,所以我用自签名证书启动了HTTPS服务器.我也有一个启用了CORS的HTTP API服务器.
我能够在Chrome上获取API请求.这是预检响应的标头(带有HTTP状态代码204):
Access-Control-Allow-Credentials:true
访问控制允许标题:appversion,频道,内容类型,语言
允许访问控制的方法:GET,HEAD,PUT,PATCH,POST,DELETE
Access-Control-Allow-Origin: https://localhost:3001
连接:保持活动状态
内容长度:0
日期:2018年8月23日,星期四04:04:45 GMT
变化:起源,访问控制请求标头
但是我在Firefox上出现错误.
如果我停止HTTPS服务器并运行HTTP服务器,则我的项目将在Firefox上运行.反正可以在我的开发环境中解决此问题吗?
问题是您正在通过同时来自 HTTP 的 HTTPS 内容进行服务.在这种情况下,您将在非常严格的浏览器(如firefox)中遇到混合内容问题.
此问题的解决方法是仅通过 HTTPS 发出请求,如本文 请记住,这在HTTP中有效,因为从不安全状态转到更安全状态没有问题,但是如果以其他方式使用,则浏览器应该抱怨!这样做是一件好事.否则,网站就不会那么可信 I'm working on a project which requires HTTPS, so I startup a HTTPS server with self-signed certificate. I also have an HTTP API Server with CORS enabled. I'm able to fetch API request on Chrome. Here the header of preflight response(with HTTP status code 204): Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: appversion,channel,content-type,language Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE Access-Control-Allow-Origin: https://localhost:3001 Connection: keep-alive Content-Length: 0 Date: Thu, 23 Aug 2018 04:04:45 GMT Vary: Origin, Access-Control-Request-Headers But I got error on Firefox. If I stop my HTTPS server and run a HTTP server, my project works on Firefox. Is there anyway to fix this on my dev environment? The problem is that you are serving through HTTPS content that also comes from HTTP. In this case you will have mixed-content issues in very strict browsers like firefox. The fix for this is making requests only throught HTTPS as pointed out in this article https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content/How_to_fix_website_with_mixed_content#How_to_fix_your_website Chrome is working because usually is less error prone and actually "accepts" almost anything that you will give it to work with. Keep in mind that this works in HTTP because there is no issue if you go from non secure to more secure, but if you go the other way the browser should complain!! And it's actually a good thing it does so. Otherwise the site shouldn't be so trusty 这篇关于跨源请求和混合内容仅在Firefox上的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
