提问人:banapaya 提问时间:11/7/2023 更新时间:11/8/2023 访问量:31
Chrome/Edge 在 Firefox 工作时不跨域发送印前检查 OPTIONS 请求
Chrome/Edge not sending preflight OPTIONS requests cross origin while Firefox works
问:
我正在将标头中的令牌发送到同源和跨源服务器。我已将服务器设置为使用以下标头响应请求:Authorization
OPTIONS
HTTP/1.1 204 No Content
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://10.26.97.22:10251 (this is dynamically set to the origin of the request)
Vary: Origin
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: authorization
Access-Control-Max-Age: 86400
Connection: keep-alive
Firefox 上的请求可以正常工作(上面显示了 Firefox 的响应标头),触发预检请求的请求没有问题。POST
但是,Chrome 和 Edge 都无法正常工作,未报告任何错误。只是失败的请求说.net::ERR_RESPONSE_HEADERS_TRUNCATED
以下是对在Firefox上实际通过的请求的成功响应:POST
HTTP/1.1 200 OK
Connection: keep-alive
Date: Tue, 07 Nov 2023 00:05:49 GMT
Content-type: application/json
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://10.26.97.22:10251 (again, this is dynamically set)
Vary: Origin
Strict-Transport-Security: max-age=31536000
Referrer-Policy: no-referrer
Content-Security-Policy: default-src 'none'; font-src 'self' data:; script-src 'self'; connect-src *; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self';
Cache-Control: no-cache
我尝试清除缓存,以隐身模式打开网站,以及在禁用网络安全的情况下启动 chrome。仅在禁用 Web 安全性时才有效。
我比较了常规 Chrome 和 Firefox 之间的预检 requst 标头,见下文:
普通Chrome:
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Access-Control-Request-Headers: authorization
Access-Control-Request-Method: POST
Connection: keep-alive
Host: 10.26.97.30:10261
Origin: https://10.26.97.22:10251
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
火狐浏览器:
OPTIONS /homepage HTTP/1.1
Host: 10.26.97.30:10261
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization
Origin: https://10.26.97.22:10251
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
答:
0赞
banapaya
11/8/2023
#1
事实证明,这可能是因为我没有正确终止标头。即使我已经指出响应没有内容(),它仍然需要额外的空行来终止标题部分。Firefox似乎比基于Chromimum的浏览器更宽容一些。在最后一个标题打印输出解决了该问题后添加了一个空行。OPTIONS
HTTP/1.1 204 No Content
来源:https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages
评论