缓存的非CORS响应与新的CORS请求冲突 [英] Cached non CORS response conflicts with new CORS request
问题描述
要点:
我有一个页面使用s3中的图像的标签加载(HTML img标记),并且我有一个页面使用xmlhttprequest.标记加载将在没有CORS头的情况下进行缓存,因此xmlhttprequest会看到缓存的版本,检查其头,并因跨源错误而失败.
I have a page that uses tag loading of an image from s3 (HTML img tag) and I have a page that uses xmlhttprequest. The tag loading gets cached without the CORS headers and so the xmlhttprequest sees the cached version, checks it's headers and fails with a cross origin error.
详细信息:
edit :Safari 5.1.6和Chrome 21.0.1180.89均失败.在Firefox 14中可以正常工作.
edit: Fails in both safari 5.1.6 and chrome 21.0.1180.89. Works fine in Firefox 14.
使用S3的新CORS,我将CORSRule设置为:
Using S3's new CORS, I setup a CORSRule as so:
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>
<MaxAgeSeconds>0</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
如果我从S3请求图像而未在请求标头中设置原点,则会在响应中返回没有任何CORS标头的图像.
If I request an image from S3 without setting the origin in the request headers I get back the image without any CORS headers in the response.
由于浏览器使用非CORS版本的缓存,因此该缓存的缓存和后续的CORS请求(确实在请求标头中设置了原始请求的请求)会被拒绝.
This get's cached and subsequent CORS requests (one's that do set the origin in the request header) get rejected as the browser uses the non CORS version form the cache.
解决此问题的最佳方法是什么?我可以设置一些内容以使非CORS版本永远不会被缓存吗?我是否应该通过在请求的网址后添加?some_flag来区分CORS请求?
What's the best way to solve this? Can I set something so the non CORS version never gets cached? Should I differentiate the CORS requests by appending a ?some_flag to the url of the request?
理想情况下,即使请求中不包含来源",我也希望S3始终发送回所需的CORS标头.
Ideally I'd have S3 ALWAYS send back the needed CORS headers even if the request doesn't contain "origin".
推荐答案
我遇到了同样的问题.正如@monsur所说,问题在于S3不会设置"Vary:Origin"标头,即使它应该设置.不幸的是,据我所知,没有办法让S3发送该标头.但是,可以通过在需要CORS时将查询字符串参数添加到诸如?origin=example.com之类的请求中来解决此问题.查询字符串会强制浏览器不使用缓存的资源.
I ran into the same problem. As @monsur said, the problem is that S3 doesn't set teh "Vary: Origin" header, even though it should. Unfortunately, as far as I know there is no way to get S3 to send that header. However, you can work around this by adding a query string paramater to the request such as ?origin=example.com when you need CORS. The query string forces the browser not to use the cached resource.
理想情况下,启用CORS时,cloudfront和S3将发送Vary:Origin标头,并且/或者Webkit将在Origin标头上隐式变化,我认为Firefox会这样做,因为它没有此问题.
Ideally, cloudfront and S3 would send the Vary:Origin header when CORS is enabled and/or Webkit would implicitly vary on the Origin header, which I assume Firefox does since it doesn't have this problem.
这篇关于缓存的非CORS响应与新的CORS请求冲突的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
