Chrome浏览器添加产地头相同来源的请求 [英] Chrome adding Origin header to same-origin request

问题描述

我们要发布一个AJAX请求到服务器本地运行，即

We're POSTing an AJAX request to a server running locally, i.e.

xhr.open("POST", "http://localhost:9000/context/request");
xhr.addHeader(someCustomHeaders);
xhr.send(someData);

这是正在执行这个JavaScript也正在从本地主机服务的页面：9000，即这个完全看起来像一个相同来源的请求

The page that this javascript is being executed is also being served from localhost:9000, i.e. this totally looks like a same-origin request.

然而，由于某些原因，谷歌浏览器总是设置在所得的请求的来源的头，导致我们的服务器以禁止基于该错误的假设的请求，它的CORS请求。

However, for some reason, Google Chrome always sets an Origin header in the resulting request, causing our server to block the request based on the false assumption that it's CORS request.

这不会发生在Firefox浏览器。

This does not happen in Firefox.

此外，无论是火狐浏览器也正在发送一个OPTIONS preflight请求，这是混乱的;为什么不设置第一preflighting原点头，以确保起源和自定义标题所允许的服务器？

Also, neither Firefox nor Chrome are sending an OPTIONS preflight request, which is confusing; why set an Origin header without first preflighting to make sure the the Origin and the Custom headers are allowed by the server?

有谁知道什么是在这种情况下，怎么回事？我们是否误解了CORS规范？

Does anyone know what is going on in this case? Are we misunderstanding the CORS spec?

推荐答案

Chrome和Safari包括同源POST / PUT的原产地头/ DELETE请求（same-起源GET请求不会有产地标头）。 Firefox不包括原产地上同源的请求头。浏览器不指望在相同来源的请求CORS响应头，所以响应同源请求被发送给用户，无论是否具有CORS头或没有。

Chrome and Safari include an Origin header on same-origin POST/PUT/DELETE requests (same-origin GET requests will not have an Origin header). Firefox doesn't include an Origin header on same-origin requests. Browsers don't expect CORS response headers on same-origin requests, so the response to a same-origin request is sent to the user, regardless of whether it has CORS headers or not.

我会建议检查主机头，如果在原产地头域相匹配，不要牛逼处理请求的CORS。标头看起来是这样的：

I would recommend checking the Host header, and if it matches the domain in the Origin header, don't treat the request as CORS. The headers look something like this:

Host: example.com
Origin: http://example.com

注意原产地将有计划（HTTP / HTTPS），域和端口，而主机将只有域和端口。

Note that Origin will have the scheme (http/https), domain and port, while Host will only have the domain and port.

这篇关于Chrome浏览器添加产地头相同来源的请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！