iOS11 在所有移动浏览器中导致 CORS 问题 [英] iOS11 causing CORS Issues in all mobile browsers
问题描述
我们正在使用 iOS11 的 iOS 设备上测试我们的网站,并注意到它出现问题,因为浏览器不接受来自我们 API 的响应.使用远程调试器,我们能够确定我们遇到了 CORS 权限错误,并且响应正文和 HTTP 标头被剥离.这似乎发生在所有移动 iOS 浏览器 (Chrome/Safari) 上,即使在我将 CORS 响应标头更改为通配符值之后,这种情况仍会继续发生.但是,iOS 的所有其他浏览器/操作系统/版本都运行良好.我附上了来自我们 API 的网络响应、我们的 API 的响应标头以及我们从控制台获得的错误.
We were testing our website on iOS devices with iOS11, and noticed that it was breaking, as the browser would not accept responses from our API. Using the remote debugger, we were able to determine that we were getting a CORS permission error, and the response body and HTTP Headers were being stripped. This seemed to be occurring on all mobile iOS browsers (Chrome/Safari), and continued to occur even after I changed the CORS response header to a wildcard value. However, every other browser/OS/version of iOS is working perfectly. I have attached the network response from our API, the response headers for our API, and the error we are getting from the console.
iOS11 是否存在可能导致此问题或失败的问题,有什么方法可以得到进一步的诊断吗?
Is there something about iOS11 that might be causing this, or failing that, is there any way I can get further diagnostics?
推荐答案
我们遇到了类似的情况,在域 A 上托管了一个表单,并将数据发布到域 B 上的 API.来自域 A 的 POST 请求包含与域 B 无关的标头x-api-key"
We had a similar situation with a form hosted on domain A and posting the data to an API on domain B. The POST request from domain A contained the header "x-api-key" that is not relevant for domain B
对 API 的预检 OPTIONS 请求的响应包含标头
The response to the preflight OPTIONS request to the API contained the headers
- 访问控制允许来源:https://domainA
- 访问控制允许标题:*
- 访问控制允许方法:*
这对除 iOS 上的浏览器之外的所有浏览器都适用.正如我们最终发现的那样,为 Access-Control-Allow-Headers 指定通配符 *不适用于 iOS 浏览器.在对 OPTIONS 请求的响应中,您需要指定 POST 请求中存在的所有标头,即使某些标头与域 B 上的服务器无关.只有这样,iOS 才会发送 POST 请求.
That worked fine for all browsers except those on iOS. As we finally found out, specifying the wild card * for Access-Control-Allow-Headers does not work for iOS browsers. In the response to the OPTIONS request you need to specify all the headers that are present in the POST request, even if some headers are not relevant for the server on domain B. Only then will iOS send the POST request.
将响应标头更改为
- Access-Control-Allow-Headers:Accept,Content-Type,X-Requested-With,x-api-key
做到了(即使标头 x-api-key 没有在服务器 B 上处理)
did it (even if the header x-api-key is not processed on server B)
这篇关于iOS11 在所有移动浏览器中导致 CORS 问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
