IE11 CORS拒绝https上的OPTIONS

时间:2016-01-19 16:31:57

标签: java angularjs jersey cors internet-explorer-11

IE11由于某种原因拒绝PUT请求,但仅在我使用https时。 我很难找到问题,因为使用http,localhost和其他浏览器工作正常。

控制台显示两个错误

SEC7124: Request method PUT was not present in the Access-Control-Allow-Methods list.
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.

从浏览器发送的OPTION请求

Accept: */*
Accept-Encoding: gzip, deflate
Access-Control-Request-Headers: accept, content-type, session-id
Access-Control-Request-Method: PUT   
Cache-Control: no-cache 
Connection: Keep-Alive  
Content-Length: 0  
Host: api.domain.com  
Origin: https://portal.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

并且服务器的响应如下:

X-Powered-By: Servlet/2.5
Server: server
Content-Encoding: gzip
Access-Control-Expose-Headers: Session-Id
Access-Control-Allow-Origin: *
Access-Control-Max-Age: -1
Allow: OPTIONS,GET,HEAD,PUT
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, DELETE
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, Content-Type, session-id, authorization, portal-url
Content-Type: application/vnd.sun.wadl+xml
Content-Length: 352
Date: Tue, 19 Jan 2016 15:33:38 GMT

AngularJS用于客户端标准$ http PUT。 服务器端使用带有jersey的Java,处理CORS的请求过滤器如下:

 public ContainerResponse filter( final ContainerRequest request, final ContainerResponse response )
{
    if ( request.getHeaderValue( "Origin" ) != null ) 
    {
        final MultivaluedMap<String, Object> headers = response.getHttpHeaders();
        headers.add( "Access-Control-Allow-Origin", "*" );
        headers.add( "Access-Control-Expose-Headers", "Session-Id" );
        headers.add( "Access-Control-Allow-Credentials", Boolean.TRUE.toString() );
    }

    if ( "OPTIONS".equals( request.getMethod() ) ) 
    {
        final MultivaluedMap<String, Object> headers = response.getHttpHeaders();
        for ( String method : ["OPTIONS", "GET", "POST", "PUT", "DELETE"] ) 
        {
            headers.add( "Access-Control-Allow-Methods", method );
        }
        headers.add( "Access-Control-Allow-Headers",
                "accept, origin, Content-Type, session-id, authorization, portal-url, " 
                + "If-Modified-Since, Cache-Control, Pragma" );
        headers.add( "Access-Control-Max-Age", "-1" );            
    }

    return response;
}

也许你可以看到可能出现的问题。

由于

1 个答案:

答案 0 :(得分:3)

我设法找到了问题。

我在https上看到了这个问题,因为门户网站和主机位于不同的域上。我无法在localhost上复制该问题,因为服务器和门户都在同一个域上。这意味着OPTION请求未被发送,一切都按预期工作。在localhost上运行门户并使用IP地址作为服务器URL而不是localhost后,OPTION请求包含在请求中,我可以复制我的问题。

问题本身就是关注服务器上的代码

    for ( String method : ["OPTIONS", "GET", "POST", "PUT", "DELETE"] ) 
    {
        headers.add( "Access-Control-Allow-Methods", method );
    }

由于某种原因,IE不喜欢多个Access-Control-Allow-Methods标头。将代码更改为以下问题后,问题就解决了。 

 List<String> ALLOWED_METHODS = Arrays.asList( "OPTIONS", "GET", "POST", "PUT", "DELETE" );
 headers.add( "Access-Control-Allow-Methods", ALLOWED_METHODS );
相关问题
最新问题