httpd duplicate Access-Control-Allow-Origin with“Header always set” [英] httpd duplicate Access-Control-Allow-Origin with "Header always set"
问题描述
我正在尝试在我的服务器上启用CORS。它同时托管Apache HTTPD和Apache Tomee。
HTTPD配置为:
I am trying to enable CORS on my server. It hosts both an Apache HTTPD and an Apache Tomee. HTTPD is configured as:
SetEnvIf Origin "^https://(.+\.)?my-domain.com$" allowed_origin=$0
Header always set Access-Control-Allow-Origin %{allowed_origin}e env=allowed_origin
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD, PUT, DELETE, PATCH"
Header set Access-Control-Allow-Headers "accept,x-requested-method,origin,x-requested-with,x-request,cache-control,content-type"
Header set Access-Control-Max-Age "600"
和我的Tomee网络XML:
and my Tomee web XML :
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
<init-param>
<param-name>cors.allowed.headers</param-name>
<param-value>Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers,Accept-Language,Keep-Alive</param-value>
</init-param>
<init-param>
<param-name>cors.allowed.methods</param-name>
<param-value>GET,POST,HEAD,OPTIONS,PUT,PATCH,DELETE</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
我的问题是我得到了 Access-Control-Allow-Credentials 在预检OPTIONS请求的响应中标题两次:
My problem is I get the Access-Control-Allow-Credentials header twice in the response to the preflight OPTIONS request :
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://my-origin.my-domain.com
Access-Control-Allow-Origin: https://my-origin.my-domain.com
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 600
Access-Control-Allow-Methods: GET, POST, OPTIONS, HEAD, PUT, DELETE, PATCH
Access-Control-Allow-Headers: accept,x-requested-method,origin,x-requested-with,x-request,cache-control,content-type,authorization
我不明白为什么在我的HTTPD配置中使用 set 关键字不会删除重复项访问控制允许来源。
此外,如果我删除'always'关键字,它只返回一个 Access-Control-Allow-Origin ...
I don't understand why the usage of the set keyword in my HTTPD configuration does not remove the duplicate Access-Control-Allow-Origin.
Moreover, if I remove the 'always' keyword it returns one Access-Control-Allow-Origin only...
推荐答案
遇到类似的问题。花了很多时间进行调试。
Experiencing a similar issue. Spent a lot of time in debugging.
这是Apache的一个错误。内部设计失败,未能记录。
It is a bug in Apache. A failure of the internal design and a failure to document it.
Header [table] set [cookie] [value] [...]
这是操纵标题的命令。 apache中至少有两个cookie表。
That's the command to manipulate headers. There are at least two cookie tables in apache.
-
onsuccess,默认使用对于20X状态代码。 -
始终,用于错误,包括重定向代码。
onsuccess, default, used for 20X status codes.always, used for errors, including redirects codes.
根据我的野外经验,所有表中的所有Cookie都会附加到回复中。
Judging by my experience in the wild, all cookies from all tables are appended to the response.
在您的示例中, Tomcat设置的cookie位于onsuccess表中,apache中的cookie集位于always表中。响应得到两个cookie,因此重复。
In your example, the cookie set by Tomcat is in the onsuccess table, the cookie sets in apache is in the always table. The response gets both cookies, hence the duplication.
它比这更麻烦。这些表具有不同的含义,具体取决于所使用的模块。例如,当使用代理或CGI时,如果上游服务器成功发送错误,那么cookie的相关表是 onsuccess ,但是始终如果发生内部apache错误。
It gets more messy than that. The tables have different meaning depending on what modules are in use. For instance, when using proxy or CGI, the relevant table for cookies is onsuccess if the upstream server delivers an error successfully, but always if an internal apache error occurs.
此行为未记录。这似乎不是故意的,而是apache内部的结果。在当前状态下,基本上不可能使用Apache正确操作头。
This behavior is not documented. That seems not intentional but a consequence of apache internals. In the current state, it is basically impossible to manipulate headers properly with Apache.
这篇关于httpd duplicate Access-Control-Allow-Origin with“Header always set”的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
