CORS无法处理javascript文件中的请求

时间:2017-01-05 22:22:20

标签: firefox cors apache2.4

我为我的静态子域配置了CORS,我可以使用主域和子域中的静态文件。

问题是我在javascript文件中有一个get请求,而firefox只是抱怨那个请求,就是我在html代码上发出的​​其他请求所在的静态子域名。

我以前不记得有这个问题了,也许CORS(firefox)的一些变化让这个不再适用了?

脚本(来自.js文件内):

$('#example').DataTable( {
    //[...]
    language: {
        "url": "//static.domain.com/js/DataTables-Spanish.json"
    },
    //[...]
} );

这就是它实际做的,一个jquery ajax请求方法:

if ( oLanguage.sUrl !== "" )
{
    /* Get the language definitions from a file - because this Ajax call makes the language
     * get async to the remainder of this function we use bInitHandedOff to indicate that
     * _fnInitialise will be fired by the returned Ajax handler, rather than the constructor
     */
    $.ajax( {
        dataType: 'json',
        url: oLanguage.sUrl,
        success: function ( json ) {
            _fnLanguageCompat( json );
            _fnCamelToHungarian( defaults.oLanguage, json );
            $.extend( true, oLanguage, json );
            _fnInitialise( oSettings );
        },
        error: function () {
            // Error occurred loading language file, continue on as best we can
            _fnInitialise( oSettings );
        }
    } );
    bInitHandedOff = true;
}

firefox控制台中的错误:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://static.mydomain.com/js/DataTables-Spanish.json. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

CORS配置(在vhost块内):

<IfModule mod_headers.c>
    SetEnvIfNoCase Origin: "https?://(www\.)?(domain\.com|sub1\.domain\.com)(:\d+)?$" ACAO=$0
    Header set Access-Control-Allow-Origin: "%{ACAO}e" env=ACAO
    Header set Access-Control-Allow-Methods: "GET"
</IfModule>

再次,正如您所看到的,在静态子域中正确配置了CORS,我只得到了javascript文件中的请求的抱怨。

为什么firefox抱怨?

Firefox网络监视器

Status: 200 - Method: GET - File: DataTables-Spanish.json - Domain: (green lock) static.domain.com - Cause: script - Type: json 

-Request headers:

Host: static.domain.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en,en-US;q=0.7,es;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://sub1.domain.com/site
Origin: https://sub1.domain.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

-Response headers:

Accept-Ranges: bytes
Content-Length: 932
Content-Type: application/json
Date: Fri, 06 Jan 2017 02:34:49 GMT
Etag: "3a4-52ef9645b6940"
Last-Modified: Sat, 26 Mar 2016 20:19:09 GMT
Server: Apache/2.4.25 (Unix) OpenSSL/1.0.2j
X-Firefox-Spdy: h2
access-control-allow-methods: GET
strict-transport-security: max-age=63072000; includeSubdomains;

编辑:如果我在配置中使用通配符而不是正则表达式,它可以正常工作:

<IfModule mod_headers.c>
    #SetEnvIfNoCase Origin: "https?://(www\.)?(domain\.com|sub1\.domain\.com)(:\d+)?$" ACAO=$0
    #Header set Access-Control-Allow-Origin: "%{ACAO}e" env=ACAO
    Header set Access-Control-Allow-Origin: *
    Header set Access-Control-Allow-Methods: "GET"
</IfModule>

所以现在的问题是:为什么它不能与正则表达式一起使用?

如果我将该标题放在最后一行,它将与正则表达式一起使用:

<IfModule mod_headers.c>
    SetEnvIf Origin "https://(www.domain.com|sub1.domain.com|auth.domain.com)$" ACAO=$0
    Header set Access-Control-Allow-Methods "GET"
    Header always append Access-Control-Allow-Origin "%{ACAO}e" env=ACAO
</IfModule>

1 个答案:

答案 0 :(得分:0)

问题是我从另一个问题中获取了代码,并没有注意到以下内容:

SetEnvIfNoCase

这恰好与我想要的相反,即将正则表达式中的域列入白名单:

SetEnvIf Origin "https://(www.domain.com|sub1.domain.com|auth.domain.com)$" ACAO=$0
Header always append Access-Control-Allow-Origin "%{ACAO}e" env=ACAO
Header set Access-Control-Allow-Methods "GET"

其他html请求不应该被cors阻止,这就是原因。

相关问题
最新问题