httpd 使用“始终设置标头"复制 Access-Control-Allow-Origin [英] httpd duplicate Access-Control-Allow-Origin with "Header always set"
问题描述
我正在尝试在我的服务器上启用 CORS.它同时托管 Apache HTTPD 和 Apache Tomee.HTTPD 配置为:
I am trying to enable CORS on my server. It hosts both an Apache HTTPD and an Apache Tomee. HTTPD is configured as:
SetEnvIf Origin "^https://(.+.)?my-domain.com$" allowed_origin=$0
Header always set Access-Control-Allow-Origin %{allowed_origin}e env=allowed_origin
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD, PUT, DELETE, PATCH"
Header set Access-Control-Allow-Headers "accept,x-requested-method,origin,x-requested-with,x-request,cache-control,content-type"
Header set Access-Control-Max-Age "600"
还有我的 Tomee Web XML:
and my Tomee web XML :
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Accept-Language,Keep-Alive</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,OPTIONS,PUT,PATCH,DELETE</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
我的问题是我在响应预检 OPTIONS 请求时获得了两次 Access-Control-Allow-Credentials 标头:
My problem is I get the Access-Control-Allow-Credentials header twice in the response to the preflight OPTIONS request :
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://my-origin.my-domain.com
Access-Control-Allow-Origin: https://my-origin.my-domain.com
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 600
Access-Control-Allow-Methods: GET, POST, OPTIONS, HEAD, PUT, DELETE, PATCH
Access-Control-Allow-Headers: accept,x-requested-method,origin,x-requested-with,x-request,cache-control,content-type,authorization
我不明白为什么在我的 HTTPD 配置中使用 set 关键字不会删除重复的 Access-Control-Allow-Origin.此外,如果我删除 'always' 关键字,它只会返回一个 Access-Control-Allow-Origin...
I don't understand why the usage of the set keyword in my HTTPD configuration does not remove the duplicate Access-Control-Allow-Origin.
Moreover, if I remove the 'always' keyword it returns one Access-Control-Allow-Origin only...
推荐答案
遇到类似问题.花了很多时间调试.
Experiencing a similar issue. Spent a lot of time in debugging.
这是 Apache 中的一个错误.内部设计的失败和记录失败.
It is a bug in Apache. A failure of the internal design and a failure to document it.
Header [table] set [cookie] [value] [...]
这是操纵标头的命令.apache中至少有两个cookie表.
That's the command to manipulate headers. There are at least two cookie tables in apache.
onsuccess,默认,用于20X状态码.always,用于错误,包括重定向代码.
onsuccess, default, used for 20X status codes.always, used for errors, including redirects codes.
根据我在野外的经验判断,所有表中的所有 cookie 都附加到响应中.
Judging by my experience in the wild, all cookies from all tables are appended to the response.
在你的例子中,Tomcat设置的cookie在onsuccess表中,apache中的cookie设置在always表中.响应获取两个 cookie,因此是重复的.
In your example, the cookie set by Tomcat is in the onsuccess table, the cookie sets in apache is in the always table. The response gets both cookies, hence the duplication.
它变得比这更混乱.根据使用的模块,这些表具有不同的含义.例如,当使用代理或 CGI 时,如果上游服务器发送错误成功,则 cookie 的相关表是 onsuccess,但如果发生内部 apache 错误.
It gets more messy than that. The tables have different meaning depending on what modules are in use. For instance, when using proxy or CGI, the relevant table for cookies is onsuccess if the upstream server delivers an error successfully, but always if an internal apache error occurs.
此行为未记录在案.这似乎不是故意的,而是 apache 内部结构的结果.在目前的状态下,用 Apache 正确操作 header 基本上是不可能的.
This behavior is not documented. That seems not intentional but a consequence of apache internals. In the current state, it is basically impossible to manipulate headers properly with Apache.
这篇关于httpd 使用“始终设置标头"复制 Access-Control-Allow-Origin的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
