飞行前请求不由apache处理(CORS) [英] Preflight request not being handled by apache (CORS)
问题描述
一般:
Request URL:x/site.php
Request Method:OPTIONS
Status Code:302 Found
Remote Address:x.x.x.x:80
响应标题:
view source
Access-Control-Allow-Headers:Content-Type
Access-Control-Allow-Origin:*
Access-Control-Max-Age:300
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Length:0
Content-Type:text/html; charset=UTF-8
Date:Thu, 02 Mar 2017 14:27:21 GMT
Expires:Thu, 19 Nov 1981 08:52:00 GMT
Location:y
Pragma:no-cache
Server:Apache/2.4.25 (Ubuntu)
请求标头:
view source
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:authorization
Access-Control-Request-Method:POST
Cache-Control:no-cache
Connection:keep-alive
DNT:1
Host:x
Origin:http://127.0.0.1:3000
Pragma:no-cache
Referer:http://127.0.0.1:3000/
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.90 Safari/537.36
Apache virtualhost配置如下所示:
Apache virtualhost config looks as so:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "http://127.0.0.1:3000"
Header set Access-Control-Allow-Origin "http://127.0.0.1"
Header set Access-Control-Max-Age "300"
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"
Header set Access-Control-Allow-Methods "POST, GET, PUT, DELETE, PATCH, OPTIONS"
</IfModule>
预检请求正在跳过apache配置并直接点击我的webapp,这会进行重定向(因此302和位置:y)。
The preflight request is skipping the apache config and hitting my webapp directly, which does a redirect (hence the 302 and the location: y).
我不知道为什么preflight请求不是由apache处理的?
I don't know why the preflight request is not being handled by apache?
推荐答案
您需要更改/添加的两件事是:
The two main things you need to change/add are:
- 使用
标题始终设置而不是标题集 - 使用 mod_rewrite 来处理
OPTIONS只需使用这些标题发回200 OK
- Use
Header always setinstead of justHeader set - Use mod_rewrite to handle the
OPTIONSby just sending back a200 OKwith those headers
所以启用请求在要工作的问题中,这是一个最小(ish)配置片段:
So to enable the request in the question to work, here’s a minimal(ish) config snippet:
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Headers "Authorization"
Header always set Access-Control-Allow-Methods "GET, OPTIONS"
Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
Header always set Access-Control-Max-Age "600"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
关于为各种 Access设置的值的一些一般性说明-Control - 响应头:
-
访问控制-Allow-Headers:您必须将其设置为包含您的请求发送的任何标题名称 CORS-safelisted标题名称或所谓的禁止标题名称(浏览器设置的标题名称,您无法在JavaScript中设置); 规范或者允许*通配符作为其值 - 所以你有一天可以尝试,但是没有浏览器支持它: Chrome bug , Firefox错误, Safari bug
Access-Control-Allow-Headers: you must set it to include any header names your request sends except CORS-safelisted header names or so-called "forbidden" header names (names of headers set by the browser that you can’t set in your JavaScript); the spec alternatively allows the*wildcard as its value—so you can try it someday, but no browser supports it yet: Chrome bug, Firefox bug, Safari bug
Access-Control-Allow-Methods :规范或者允许 * 通配符 - 但同样,与 Access-Control-Allow-Headers:* 一样,没有浏览器支持它
Access-Control-Allow-Methods: the spec alternatively allows the * wildcard—but again, as with Access-Control-Allow-Headers: *, no browsers support it yet
Access-Control-Expose-Headers :您必须设置为包含任何回复您的客户端代码需要读取 Cache-Control , Content-Language , Content-键入, Expires , Last-Modified 和 Pragma - 默认情况下会暴露出来(很多人忘了设置这个并最终为什么他们无法读取特定响应头的值而感到困惑);再次规范或者允许 * 通配符,但没有浏览器支持它
Access-Control-Expose-Headers: you must set to include any response headers your client code needs to read beyond Cache-Control,Content-Language,Content-Type, Expires, Last-Modified and Pragma—which are exposed by default (a lot of people forget to set this and end up baffled about why they can’t read the value of a particular response header); again the spec alternatively allows the * wildcard here, but no browsers support it yet
Access-Control-Max-Age :Chrome的上限为 600 (10分钟)硬编码,所以为它设置一个更高的值没有意义那个(Firefox可能会尊重它,但如果你把它设置得更高,Chrome就会把它限制在10分钟,Safari会把它限制在 5 分钟)
Access-Control-Max-Age: Chrome has an upper limit of 600 (10 minutes) hardcoded, so there’s no point in setting a higher value for it than that (Firefox may respect it, but Chrome will just throttle it down to 10 minutes if you set it higher, and Safari limits it to only 5 minutes)
那么,关于问题中显示的特定请求,这里有一些特定的注释:
So then, about the particular request shown in the question, here are some specific notes:
-
您的请求
Access-Control-Request-Headers:authorization所以在您的Apache配置中添加授权也在Access-Control-Allow-Headers响应标题中。
Your request has
Access-Control-Request-Headers:authorizationso in your Apache config, addAuthorizationin theAccess-Control-Allow-Headersresponse header too.
Origin 是浏览器设置的禁止标题名称, Accept 是一个CORS安全标题名称,所以你不需要将它们包含在 Access-Control-Allow-Headers
Origin is a "forbidden" header name set by the browser, and Accept is a CORS-safelisted header name, so you don’t need to include them in Access-Control-Allow-Headers
您的请求不发送 Content-Type ,因此响应中的 Access-Control-Allow-Headers 不需要它(从不需要 GET 请求,否则仅在类型不是 application / x-www-form-urlencoded 时才需要, text / plain ,或 multipart / form-data )
Your request sends no Content-Type, so it isn’t needed in Access-Control-Allow-Headers in the response (and never needed for GET requests and otherwise only needed if the type is other than application/x-www-form-urlencoded, text/plain, or multipart/form-data)
对于 Access-Control-Allow-Methods ,您的请求似乎只是 GET ,所以除非你打算再做 POST / PUT / DELETE / PATCH 请求,明确包含它们没有意义
For Access-Control-Allow-Methods, your request seems to just be a GET, so unless you plan to also make POST/PUT/DELETE/PATCH requests, no point in explicitly including them
这篇关于飞行前请求不由apache处理(CORS)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
