CORS预检请求返回“403禁止”;后续请求，然后只在Chrome中发送 [英] CORS preflight request returning "403 Forbidden"; subsequent request then only sending in Chrome

问题描述

在中使用pluploader失败后此问题，我现在尝试 FineUploader 。

在CORS上阅读之后，我在我的IIS6服务器上实现了各种标题。

After reading up on CORS, I've implemented various headers on my IIS6 server.

看来发生的是我的脚本触发了第一个c $ c> preflight ）授权请求失败，但Chrome允许第二个（标准）请求发送 - Firefox不。我认为这实际上是代表Chrome的一个错误，但至少它让我弄清楚我的脚本可能可能正常工作。

What seems to happen is that my script fires the first (preflight) authorisation request, which fails, but Chrome allows the second (standard) request to send anyway - Firefox does not. I presume this is actually a bug on behalf of Chrome, but at least it has allowed me to work out that my script is probably working correctly.

这是第一个（预检）请求，如Chrome和FF中所示：

Here is the first (preflight) request as seen in Chrome and FF:

OPTIONS /frog/LOTS/upload/php.php HTTP/1.1
Host: staff.curriculum.local
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Origin: http://frogserver.curriculum.local
Access-Control-Request-Method: POST
Access-Control-Request-Headers: cache-control,x-requested-with
Pragma: no-cache
Cache-Control: no-cache

Access-Control ... 头是我添加到IIS中的头。

The Access-Control... headers are those that I've added to IIS.

这是我的响应头：

HTTP/1.1 403 Forbidden
Content-Length: 1758
Content-Type: text/html
Server: Microsoft-IIS/6.0
x-powered-by: ASP.NET
Access-Control-Allow-Origin: http://frogserver.curriculum.local
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Cache-Control
Access-Control-Allow-Methods: OPTIONS, GET, POST
Access-Control-Expose-Headers: Origin, X-Requested-With
Date: Mon, 22 Apr 2013 15:19:20 GMT

我试图比较两者并排，但我找不到任何缺失将会导致 preflight 请求返回 403禁止错误。

I've tried to compare the two side by side but I can't find any missing headers which would cause the preflight request to return a 403 Forbidden error.

不包括我的PHP源代码，因为它是很多代码。只要说它在Chrome中有效，并且文件已正确上传，则脚本应该正确。唯一值得一提的是我在我的脚本开头有一个头（Content-Type：text / plain）; 。将 text / html 更改为Chrome或FireFox没有任何区别。

I haven't included my PHP source as it's a lot of code. Suffice to say that it does work in Chrome and that the file is correctly uploaded, so the script should be correct. The only thing which may be worth mentioning is that I've got a header("Content-Type: text/plain"); at the start of my script. Changing that to text/html makes no difference to Chrome nor FireFox.

JavaScript非常简单：

The JavaScript is quite straightforward:

$('#jquery-wrapped-fine-uploader').fineUploader({
    request: {
        endpoint: 'http://staff.curriculum.local/frog/LOTS/upload/php.php'
    },
    cors: {
        expected: true, //all requests are expected to be cross-domain requests
        sendCredentials: true //if you want cookies to be sent along with the request
    }
});

任何人都可以帮助？我今天花了8小时对这个单一的问题，我>

Can anyone help? I've spent literally 8 hours on this single problem today and I'm >< close to ripping my own face off....!!

提前感谢，

推荐答案

这花了我一个星期，但我终于找到了问题。

It's taken me a week, but I've finally found the problem.

默认情况下， IIS6不支持OPTIONS动词.php文件（或者.asp（x））。

By default, IIS6 does not support the OPTIONS verb on .php files (or .asp(x) for that matter).

因为它不能识别

As such, it wasn't recognising the OPTIONS preflight call at all.

要在IIS6中更改此值，请按照下列步骤操作：

To change this value in IIS6, follow these steps:

1. 在IIS管理器中，转到您的根网站目录。右键点击它并选择属性


2. 转到主目录标签，然后选择底部的配置按钮




4. 添加选项

1. In the IIS Manager, go to your root web site directory. Right-click it and select "Properties"
2. Go to the Home Directory tab, then select the "Configuration" button at the bottom
3. Find the relevant file extension of the script you're trying to communicate with, such as .php or .asp and click "edit"
4. Add OPTIONS to the list of available verbs (should now display something like REQUEST, GET, POST, OPTIONS)
5. Add the code below to your PHP script to determine responses from IE

我的PHP脚本中没有下列代码， / p>

I couldn't get Internet Explorer working without the following code in my PHP script:

/* Is the request from Internet Explorer? */
if( !isset( $_SERVER['HTTP_X_REQUESTED_WITH'] )
    || ( isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest" ) ) {

    /* If so, we need to send a UUID and iframe XSS response script... */
    header("Content-Type: text/html");

    /* This needs some extra security, for sure */
    if( $result["success"] == "true" )
        $result["uuid"] = $_POST["qquuid"];

    echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);
    echo "<script src='iframe.xss.response-3.4.1.js'></script>";
} else {
    /* Otherwise, we can just echo the json'd result */
    echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);
}

我给了Ray Nicholus 50点奖金，发现他的方式特别有帮助，他一直是对的。但是，为了别人查看此帖有类似的问题，我会标记我的答案是正确的。

I've given Ray Nicholus the 50 point bounty as although I didn't find his manner particularly helpful, he was right all along. However, for purposes of others viewing this post with a similar issue, I'll mark my answer as correct.

这篇关于CORS预检请求返回“403禁止”;后续请求，然后只在Chrome中发送的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！