IE11 CORS拒绝https上的选项 [英] IE11 CORS rejecting OPTIONS on https
问题描述
IE11由于某种原因拒绝了PUT请求,但仅当我使用https时. 我很难找到问题,因为使用http,localhost和其他浏览器可以正常工作.
IE11 for some reason is rejecting a PUT request but only when I use https. I have very hard time to find the issue as using http, localhost and other browsers works fine.
控制台显示两个错误
SEC7124: Request method PUT was not present in the Access-Control-Allow-Methods list.
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.
从浏览器发送的
OPTION请求是
OPTION request sent from the browser is
Accept: */*
Accept-Encoding: gzip, deflate
Access-Control-Request-Headers: accept, content-type, session-id
Access-Control-Request-Method: PUT
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 0
Host: api.domain.com
Origin: https://portal.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
,服务器的响应如下:
X-Powered-By: Servlet/2.5
Server: server
Content-Encoding: gzip
Access-Control-Expose-Headers: Session-Id
Access-Control-Allow-Origin: *
Access-Control-Max-Age: -1
Allow: OPTIONS,GET,HEAD,PUT
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, DELETE
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, Content-Type, session-id, authorization, portal-url
Content-Type: application/vnd.sun.wadl+xml
Content-Length: 352
Date: Tue, 19 Jan 2016 15:33:38 GMT
AngularJS用于客户端标准$ http PUT. 服务器端使用带有jersey的Java,请求过滤器处理CORS如下:
AngularJS is used on client side standard $http PUT is used. Java with jersey is used on server side and request filter to handle CORS is the following:
public ContainerResponse filter( final ContainerRequest request, final ContainerResponse response )
{
if ( request.getHeaderValue( "Origin" ) != null )
{
final MultivaluedMap<String, Object> headers = response.getHttpHeaders();
headers.add( "Access-Control-Allow-Origin", "*" );
headers.add( "Access-Control-Expose-Headers", "Session-Id" );
headers.add( "Access-Control-Allow-Credentials", Boolean.TRUE.toString() );
}
if ( "OPTIONS".equals( request.getMethod() ) )
{
final MultivaluedMap<String, Object> headers = response.getHttpHeaders();
for ( String method : ["OPTIONS", "GET", "POST", "PUT", "DELETE"] )
{
headers.add( "Access-Control-Allow-Methods", method );
}
headers.add( "Access-Control-Allow-Headers",
"accept, origin, Content-Type, session-id, authorization, portal-url, "
+ "If-Modified-Since, Cache-Control, Pragma" );
headers.add( "Access-Control-Max-Age", "-1" );
}
return response;
}
也许您可以看到问题所在.
Maybe you can see what may be wrong with that.
谢谢
推荐答案
我设法找到了问题.
我在https上看到此问题的原因仅在于门户网站和主机位于不同的域中.我无法在本地主机上复制该问题,因为服务器和门户都在同一域中.这意味着未发送OPTION请求,并且一切正常.在本地主机上运行门户并将IP地址用作服务器URL而不是本地主机后,该请求中包含OPTION请求,我可以复制我的问题.
I saw this issue on https only because the portal and the host where on different domains. I could not replicate the issue on localhost because both the server and portal are on this same domain. This means the OPTION request was not sent and everything worked as expected. After running the portal on localhost and using IP address as a server URL instead of localhost the OPTION request was included in the request and I could replicate my issue.
其自身的问题归结于服务器上的以下代码
And the issue it self was down to following code on the server
for ( String method : ["OPTIONS", "GET", "POST", "PUT", "DELETE"] )
{
headers.add( "Access-Control-Allow-Methods", method );
}
由于某些原因,IE不喜欢多个Access-Control-Allow-Methods标头.将代码更改为以下问题后,此问题得以解决.
for some reason IE did not like multiple Access-Control-Allow-Methods headers. After changing code to the following issue was solved.
List<String> ALLOWED_METHODS = Arrays.asList( "OPTIONS", "GET", "POST", "PUT", "DELETE" );
headers.add( "Access-Control-Allow-Methods", ALLOWED_METHODS );
这篇关于IE11 CORS拒绝https上的选项的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
