带有 Preflight 和重定向的 CORS 请求:不允许.解决方法? [英] CORS request with Preflight and redirect: disallowed. Workarounds?

问题描述

我正在设计一个允许用户进行身份验证(使用令牌)并包含同一域内的重定向的 API.现在，对于返回 303 的端点的未经身份验证的请求，

I'm designing an API that allows the user to authenticate (using tokens) and that contains redirects within the same domain. Now, for an unauthenticated request to an endpoint that returns 303,

GET /documents/123  --> 303 redirect to `/documents/abc`
GET /documents/abc  --> 200

一切都很顺利.

让我们向发送 Authorization 标头的同一端点发出经过身份验证的请求.这使得请求成为预检请求，并且浏览器执行预检OPTIONS 请求，即

Let's do an authenticated request to the same endpoint where the Authorization header is sent. This makes the request a preflighted request and the browser does a preflight OPTIONS request, i.e.

OPTIONS /documents/123   --> 204 (everything okay, please proceed)
GET /documents/123       --> 303 redirect to `/documents/abc`

此时，浏览器不会在 /documents/abc 处 GET 获取实际资源，而是让

At this point, instead of GETting the actual resource at /documents/abc, the browser yields

XMLHttpRequest cannot load http://localhost:8000/people/username/nschloe. 
The request was redirected to 'http://localhost:8000/people/YDHa-B2FhMie', 
which is disallowed for cross-origin requests that require preflight.

此行为符合标准:

7.1.5 带预检的跨域请求

如果响应的 HTTP 状态码不在 2xx 范围内

If the response has an HTTP status code that is not in the 2xx range

应用网络错误步骤.

这似乎意味着一个不能对经过身份验证的资源进行重定向，即使重定向位于同一域 (localhost).

This seems to mean that one cannot do redirects for authenticated resources, even if the redirect is on the same domain (localhost).

这真的是真的吗?有通用的解决方法吗?

Can this really be true? Is there a common workaround?

推荐答案

在成功的 CORS 预检后，原始标准确实排除了重定向.引用§ 7.1.5.3:

The original standard does preclude redirect after a successful CORS preflight. Quoting § 7.1.5.3:

这是实际的请求.提出请求时应用提出请求的步骤并遵守以下请求规则.

This is the actual request. Apply the make a request steps and observe the request rules below while making the request.

• 如果响应的 HTTP 状态代码为 301、302、303、307 或 308应用缓存和网络错误步骤.

由于您的努力(感谢！)，标准于 2016 年 8 月 4 日更新 在成功的 CORS 预检检查后允许重定向.

Due to your efforts (thanks!), on August 4 2016 the standard was updated to allow redirect after successful CORS preflight check.

在浏览器赶上之前，唯一可行的选择似乎是以下一种或多种:

Until browsers catch up, the only feasible options seem to be one or a combination of:

1. 仅针对简单请求发出重定向.
2. 使用您自己的网址发出 305 重定向在 Location 标头中作为代理".为有限的浏览器支持做好准备，因为 305 已被弃用.
3. 做一个假的重定向":

1. Issue redirects only for simple requests.
2. Issue a 305 redirect, with your own URL in the Location header as the "proxy". Be prepared for limited browser support, as 305 is deprecated.
3. Do a fake "redirect":

• 返回带有 meta refresh 和/或 Javascript Location 更改的 HTML.
• 返回具有填充视口的 iframe 的 HTML，并将重定向目标作为 iframe 的源.
• 显示用户必须单击才能访问内容的链接.
• return HTML with meta refresh and/or Javascript Location change.
• return HTML that has a viewport-filling iframe with the redirect target as the iframe's source.
• display a link that the user has to click in order to access the content.

这篇关于带有 Preflight 和重定向的 CORS 请求:不允许.解决方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！