带有预检和重定向的CORS请求：不允许。解决方法？ [英] CORS request with Preflight and redirect: disallowed. Workarounds?

问题描述

我正在设计一个API，允许用户进行身份验证（使用令牌），并在同一个域中包含重定向。现在，对于返回303的未认证的对端点的请求，

  GET / documents / 123  - 303重定向到`/ documents / abc'
 GET / documents / abc  - > 200 
  

一切正常。

让我们对发送 Authorization 头的同一个端点做一个认证请求。这会使请求成为预检请求，浏览器会执行预检 OPTIONS 请求，例如

  OPTIONS / documents / 123  - > 204（一切正常，请继续）
 GET / documents / 123  - > 303重定向到`/ documents / abc` 
  

此时， GET 使用 / documents / abc 时的实际资源，浏览器会产生

  XMLHttpRequest无法加载http：// localhost：8000 / people / username / nschloe。 
请求被重定向到http：// localhost：8000 / people / YDHa-B2FhMie，
，不允许用于需要预检的跨源请求。 
  

此行为符合标准：

7.1.5具有预检的跨原始请求

如果响应的HTTP状态代码不在2xx范围内

应用网络错误步骤。

这似乎意味着一个 localhost ），也不能对已验证的资源进行重定向。

这真的可以吗？有没有常见的解决方法？

解决方案

原始标准在成功CORS预检后阻止重定向。 引用§7.1.5.3 ：

这是实际的请求。

• 如果响应的HTTP状态代码为301， 302，303，307或308
  应用缓存和网络错误步骤。

由于您的努力（感谢！），8月4日的标准是更新允许

在浏览器赶上之前，唯一可行的选项似乎是一个或其组合：

1. 仅针对简单请求。


2. 发出 305 redirect ，并将 Location 标头中的您自己的网址作为代理。


3. 做一个假的重定向：
   
   
   
   
   • 返回HTML与元刷新和/或Javascript 位置更改。
   
   
   • 具有以重定向目标作为iframe源的视口填充 iframe 。
   
   
   • 显示用户必须点击的链接
   
   
   

I'm designing an API that allows the user to authenticate (using tokens) and that contains redirects within the same domain. Now, for an unauthenticated request to an endpoint that returns 303,

GET /documents/123  --> 303 redirect to `/documents/abc`
GET /documents/abc  --> 200

everything works out nicely.

Let's do an authenticated request to the same endpoint where the Authorization header is sent. This makes the request a preflighted request and the browser does a preflight OPTIONS request, i.e.

OPTIONS /documents/123   --> 204 (everything okay, please proceed)
GET /documents/123       --> 303 redirect to `/documents/abc`

At this point, instead of GETting the actual resource at /documents/abc, the browser yields

XMLHttpRequest cannot load http://localhost:8000/people/username/nschloe. 
The request was redirected to 'http://localhost:8000/people/YDHa-B2FhMie', 
which is disallowed for cross-origin requests that require preflight.

This behavior is in accordance with the standard:

7.1.5 Cross-Origin Request with Preflight

If the response has an HTTP status code that is not in the 2xx range

Apply the network error steps.

This seems to mean that one cannot do redirects for authenticated resources, even if the redirect is on the same domain (localhost).

Can this really be true? Is there a common workaround?

解决方案

The original standard does preclude redirect after a successful CORS preflight. Quoting § 7.1.5.3:

This is the actual request. Apply the make a request steps and observe the request rules below while making the request.

• If the response has an HTTP status code of 301, 302, 303, 307, or 308 Apply the cache and network error steps.

Due to your efforts (thanks!), on August 4 the standard was updated to allow redirect after successful CORS preflight check.

Until browsers catch up, the only feasible options seem to be one or a combination of:

1. Issue redirects only for simple requests.
2. Issue a 305 redirect, with your own URL in the Location header as the "proxy". Be prepared for limited browser support, as 305 is deprecated.
3. Do a fake "redirect":
   • return HTML with meta refresh and/or Javascript Location change.
   • return HTML that has a viewport-filling iframe with the redirect target as the iframe's source.
   • display a link that the user has to click in order to access the content.

这篇关于带有预检和重定向的CORS请求：不允许。解决方法？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！