为什么这个 CORS 请求只在 Firefox 中失败? [英] Why is this CORS request failing only in Firefox?

问题描述

我正在使用凭据和预检请求实现 CORS，我有点困惑为什么预检请求在 Firefox 30 中始终失败但在 Safari (7.0.2) 和 Chrome 35 中有效.我认为这个问题与"为什么预检选项经过身份验证的 CORS 请求的请求在 Chrome 中有效，但在 Firefox 中无效?"因为我没有收到 401，而是来自浏览器客户端的特定于 CORS 的消息:

I'm implementing CORS with credentials and a preflight request and I'm a bit mystified why the preflight request consistently fails in Firefox 30 but works in Safari (7.0.2) and Chrome 35. I think this issue is different from "Why does the preflight OPTIONS request of an authenticated CORS request work in Chrome but not Firefox?" because I am not getting a 401, but rather a CORS-specific message from the browser client:

跨源请求被阻止:同源策略不允许读取位于 http://myurl.dev.com 的远程资源.可以通过将资源移动到同一域或启用 CORS 来解决此问题."

"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://myurl.dev.com. This can be fixed by moving the resource to the same domain or enabling CORS."

不显示源代码，这就是我正在做的事情:

Without showing source code, here's what I'm doing:

在服务器上:

OPTIONS 响应的标头:

Headers for OPTIONS response:

• Access-Control-Allow-Origin:[[从此处复制请求的来源]]
• 访问控制允许方法:POST GET OPTIONS"
• Access-Control-Allow-Headers:X-Requested-With"
• 访问控制允许凭据:真"

POST 响应的标头:

Headers for POST response:

• Access-Control-Allow-Origin:[[从此处复制请求的来源]]
• 访问控制允许凭据:真"

在浏览器客户端中:

jQuery.ajax({
  url: requestUrl,
  type: 'POST',
  data: getData(),
  xhrFields: {
    withCredentials: true
  }
});

根据规范，这将触发一个 OPTIONS 预检请求，该请求需要在其响应中包含 CORS 标头.我已经多次阅读 W3C 规范，但我无法确定我在该预检响应中做错了什么，如果有的话.

Per the spec, this will trigger a OPTIONS preflight request which needs to have the CORS headers in its response. I've read through the W3C spec several times and I can't identify what I'm doing wrong, if anything, in that preflight response.

推荐答案

问题:为什么这个 CORS 请求只在 Firefox 中失败?"

QUESTION: "Why is this CORS request failing only in Firefox?"

回答: 虽然与 OP 的具体情况无关，但它可能会帮助您了解 Firefox 默认情况下不信任 Windows 证书存储中的 CA(证书颁发机构)，这可能导致 Firefox 中的 CORS 请求失败(正如 Svish 在问题评论中提到的那样).

ANSWER: While unrelated to the OP's specific case, it may help you to know that Firefox does not trust CA's (certificate authorities) in the Windows Certificate Store by default, and this can result in failing CORS requests in Firefox (as was alluded to by Svish in the question comments).

要允许 Firefox 信任 Windows 证书存储中的 CA:

• 在 Firefox 中，在地址栏中输入 about:config
• 如果出现提示，请接受任何警告
• 右击创建一个新的布尔值，输入 security.enterprise_roots.enabled 作为名称将值设置为 true
• 然后重新测试失败的请求

• In Firefox, type about:config in the address bar
• If prompted, accept any warnings
• Right-click to create a new boolean value, and enter security.enterprise_roots.enabled as the Name Set the value to true
• Then re-test the failing request

答案来源:https://support.umbrella.com/hc/en-us/articles/115000669728-Configuring-Firefox-to-use-the-Windows-Certificate-Store

这篇关于为什么这个 CORS 请求只在 Firefox 中失败?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！