安全错误使用CORS在IE10与Node和Express [英] Security error using CORS in IE10 with Node and Express

问题描述

我正在构建一个托管在 http://example.com 上的Backbone应用程序，它使用托管在 https：// api上的API。 example.com 。对于API，我使用Node.js与Express.js框架。我的CORS解决方案似乎在每个主要的浏览器除了IE（它甚至在IE10失败）。工作

I'm constructing a Backbone application hosted on http://example.com which utilizes an API hosted on https://api.example.com. For the API, I'm using Node.js with the Express.js framework. My CORS solution seems to work in every major browser except IE (it even fails in IE10).

当从IE10发起请求时，请求从未命中API服务器。据我所知，该请求甚至不被发送。当我使用IE10的开发人员工具检查请求时，请求标头和响应标头都为空。当从任何其他浏览器发送请求时，会收到请求并正确生成响应。

When a request is initiated from IE10, the request never hits the API server. As far as I can tell, the request is not even being sent. When I inspect the request using IE10's developer tools, both the request headers and response headers are blank. When a request is sent from any other browser, the request is received and a response is properly generated.

这是我看到的错误控制台：

This is the error I see in the console:

SCRIPT 7002: XMLHttpRequest: Network Error 0x4c7, The operation was canceled by the user.

请求使用jQuery：

The request uses jQuery:

$.ajax({
  url: apiRoot + "/endpoint",
  success: function(response) {
    // Omitted irrelevant code
  }
});

根据此文章，CORS在IE中默认禁用，必须启用：

According to this article, CORS is disabled in IE by default and must be enabled:

Explorer忽略Access-Control-Allow标头，默认情况下
禁止Internet区域的跨源访问。要启用CORS，请转到
工具 - > Internet选项 - >安全选项卡，单击自定义级别按钮。
查找其他 - >访问跨域的数据源，设置
并选择启用选项。

Internet Explorer ignores Access-Control-Allow headers and by default prohibits cross-origin access for Internet Zone. To enable CORS go to Tools->Internet Options->Security tab, click on "Custom Level" button. Find the Miscellaneous -> Access data sources across domains setting and select "Enable" option.

足够，当我启用此设置，请求通过，一切工作，因为它应该。但是，我已经读过这个设置实际上与CORS无关，并且不应该影响它。使用此工具测试CORS兼容性时，无论此设置是启用还是禁用，这让我相信CORS 是启用的，我只是做错了。

Sure enough, when I enable this setting, the request goes through and everything works as it should. However, I've read that this setting is not actually related to CORS and shouldn't affect it. When using this tool to test for CORS compatibility, IE10 passes regardless of whether this setting is enabled or disabled, which leads me to believe CORS is enabled and I'm just doing something wrong.

此外，一切似乎都工作，因为它应该当我运行 Fiddler 时，因为Fiddler充当代理。

Also, everything seems to work as it should when I run Fiddler, since Fiddler is acting as a proxy.

为了参考，这里是服务器端的CORS相关代码：

For reference, here's the CORS-related code on the server side:

res.header("Access-Control-Allow-Origin", "example.com");
res.header("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");
res.header("Access-Control-Allow-Headers", "Content-Type, Authorization, X-File-Name, X-File-Size, X-File-Type");
res.header("Access-Control-Allow-Credentials", true);
if (req.method == "OPTIONS") {
 res.send(200);
}

推荐答案

API服务器使用HTTP而不是HTTPS。该问题听起来像可能与服务器的SSL设置相比，更多的要求本身。如果是这种情况，请尝试使用SSL设置来执行此操作。

Try sending the request to the API server using HTTP instead of HTTPS. The issue sounds like it may have to do with the server's SSL settings more so than the request itself. If this is the case try using SSL settings to something like this.

var options = {
  key:    fs.readFileSync(key),
  cert:   fs.readFileSync(certificate),
  ca:     fs.readFileSync(CA),
  requestCert:        false,
};

https.createServer(options, app).listen(443);

这篇关于安全错误使用CORS在IE10与Node和Express的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！