为什么这个CORS请求只在Firefox中失败？ [英] Why is this CORS request failing only in Firefox?

问题描述

我使用凭证和预检请求来实现CORS，我有点神秘，为什么预检请求在Firefox 30中一直失败，但在Safari（7.0.2）和Chrome 35中工作。我认为这个问题不同于为什么预检OPTIONS请求经过身份验证的CORS请求在Chrome中但不是Firefox？因为我没有从浏览器客户端获得401，而是一个CORS特定的邮件：

I'm implementing CORS with credentials and a preflight request and I'm a bit mystified why the preflight request consistently fails in Firefox 30 but works in Safari (7.0.2) and Chrome 35. I think this issue is different from "Why does the preflight OPTIONS request of an authenticated CORS request work in Chrome but not Firefox?" because I am not getting a 401, but rather a CORS-specific message from the browser client:

跨原始请求已阻止：同源策略不允许在 http://myurl.dev读取远程资源.com 。这可以通过将资源移动到相同的域或启用CORS来修复。

"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://myurl.dev.com. This can be fixed by moving the resource to the same domain or enabling CORS."

代码，这里是我在做什么：

Without showing source code, here's what I'm doing:

在服务器：

OPTIONS响应标头：

Headers for OPTIONS response:

• 访问控制允许原始：[[复制此处请求的原点]]


• Access-Control-Allow-Methods：POST GET OPTIONS


• Access-Control-Allow-Headers：X-Requested-With


• Access-Control-Allow-Credentials：true

• Access-Control-Allow-Origin: [[copy origin from the request here]]
• Access-Control-Allow-Methods: "POST GET OPTIONS"
• Access-Control-Allow-Headers: "X-Requested-With"
• Access-Control-Allow-Credentials: "true"

POST响应标头：

• Access-Control-Allow-Origin：[[从此处复制请求的原点]]


• Access- Allow-Credentials：true

在浏览器客户端：

jQuery.ajax({
  url: requestUrl,
  type: 'POST',
  data: getData(),
  xhrFields: {
    withCredentials: true
  }
});

根据规范，这将触发一个OPTIONS预检请求，它的响应中需要有CORS头。我已经阅读了W3C规范几次，我不能确定我做错了，如果有什么，在预检回应。

Per the spec, this will trigger a OPTIONS preflight request which needs to have the CORS headers in its response. I've read through the W3C spec several times and I can't identify what I'm doing wrong, if anything, in that preflight response.

推荐答案

请注意，Firefox是唯一符合此规范的浏览器。如果根据解析 Access-Control-Allow-Methods https://fetch.spec.whatwg.org/#cors-preflight-fetch 需要返回网络错误。并且根据头值的ABNF，它绝对是一个逗号分隔的值。

Note that Firefox is the only browser that is compliant here. If parsing of Access-Control-Allow-Methods fails per https://fetch.spec.whatwg.org/#cors-preflight-fetch a network error needs to be returned. And per the ABNF for the header value it is most definitely a comma-separated value.

这篇关于为什么这个CORS请求只在Firefox中失败？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！