CORS：不允许访问

时间：2016-02-03 12:36:41

标签： google-chrome cors browser-cache

我正在开发一个由三部分组成的网络应用程序：

RESTful API：api.example.com
最终用户前端：app.example.com
管理员前端：admin.example.com

API由最终用户和管理员前端使用，使用CORS。

当使用最终用户前端然后是管理前端，反之亦然，那么浏览器有时会拒绝来自第二前端的API请求，表明CORS违规。

Chrome示例（剥离了无关的标题）：

管理员前端：

请求

OPTIONS http://api.example.com/foo HTTP/1.1
Host: api.example.com
Access-Control-Request-Method: GET
Origin: http://admin.example.com
Access-Control-Request-Headers: accept, access-token
Accept: */*

响应

HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://admin.example.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: 
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, HEAD
Access-Control-Allow-Headers: Access-Token, Content-Type
Allow: CHECKOUT,CONNECT,COPY,DELETE,GET,HEAD,LOCK,M-SEARCH,MERGE,MKACTIVITY,MKCALENDAR,MKCOL,MOVE,NOTIFY,PATCH,POST,PROPFIND,PROPPATCH,PURGE,PUT,REPORT,SEARCH,SUBSCRIBE,TRACE,UNLOCK,UNSUBSCRIBE
Content-Type: text/html; charset=utf-8
Content-Length: 186

CHECKOUT,CONNECT,COPY,DELETE,GET,HEAD,LOCK,M-SEARCH,MERGE,MKACTIVITY,MKCALENDAR,MKCOL,MOVE,NOTIFY,PATCH,POST,PROPFIND,PROPPATCH,PURGE,PUT,REPORT,SEARCH,SUBSCRIBE,TRACE,UNLOCK,UNSUBSCRIBE

请求

GET http://api.example.com/foo HTTP/1.1
Host: api.example.com
Accept: application/json, text/plain, */*
Origin: http:///admin.example.com

响应

HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://admin.example.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: 
Content-Type: application/json; charset=utf-8
Content-Length: 13

{"foo":"bar"}

最终用户前端：

请求

OPTIONS http://api.example.com/foo HTTP/1.1
Host: api.example.com
Access-Control-Request-Method: GET
Origin: http://app.example.com
Access-Control-Request-Headers: accept, access-token
Accept: */*

响应

HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://app.example.com
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: 
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS, HEAD
Access-Control-Allow-Headers: Access-Token, Content-Type
Allow: CHECKOUT,CONNECT,COPY,DELETE,GET,HEAD,LOCK,M-SEARCH,MERGE,MKACTIVITY,MKCALENDAR,MKCOL,MOVE,NOTIFY,PATCH,POST,PROPFIND,PROPPATCH,PURGE,PUT,REPORT,SEARCH,SUBSCRIBE,TRACE,UNLOCK,UNSUBSCRIBE
Content-Type: text/html; charset=utf-8
ETag: W/"ba-U/n71cnfqD8lwz2D2E2sTA"
Content-Length: 186

CHECKOUT,CONNECT,COPY,DELETE,GET,HEAD,LOCK,M-SEARCH,MERGE,MKACTIVITY,MKCALENDAR,MKCOL,MOVE,NOTIFY,PATCH,POST,PROPFIND,PROPPATCH,PURGE,PUT,REPORT,SEARCH,SUBSCRIBE,TRACE,UNLOCK,UNSUBSCRIBE

请求

GET http://api.example.com/foo HTTP/1.1
Host: api.example.com
Accept: application/json, text/plain, */*
Origin: http://app.example.com
If-None-Match: W/"209-Jcid7C9NZEyaONIxutNnvA"

响应

HTTP/1.1 304 Not Modified
ETag: W/"209-Jcid7C9NZEyaONIxutNnvA"

在上次请求之后，浏览器控制台显示以下错误：

XMLHttpRequest无法加载http://api.example.com/foo。 “Access-Control-Allow-Origin”标头的值“http://admin.example.com”不等于提供的原点。因此，不允许原点“http://app.example.com”访问。

这只是一个谎言。

现在，如果我在Chrome的开发者工具中选中“停用缓存”，则不会再出现此问题。

有什么意义？

0 个答案:

没有答案