没有'Access-Control-Allow-Origin'标头。但标题存在

时间:2017-11-04 10:19:10

标签: javascript cors

我有一个jscropper的问题。我不知道为什么我在控制台收到消息

  

无法加载https://cdn.dmove.it/images/409/foto1.jpg:否   请求中存在“Access-Control-Allow-Origin”标头   资源。因此不允许来源“https://www.dmove.it”   访问。

我尝试阅读任何答案,我明白这是一个Cors问题,但是Cors的配置还可以。

 curl -H "Origin: https://www.dmove.it" --verbose --head \
    https://cdn.dmove.it/images/412/ionity-cop.jpg >> debugcors.txt

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 13.32.176.105...
* Connected to cdn.dmove.it (13.32.176.105) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*    server certificate verification OK
*    server certificate status verification SKIPPED
*    common name: cdn.dmove.it (matched)
*    server certificate expiration date OK
*    server certificate activation date OK
*    certificate public key: RSA
*    certificate version: #3
*    subject: CN=cdn.dmove.it
*    start date: Wed, 11 Oct 2017 00:00:00 GMT
*    expire date: Sun, 11 Nov 2018 12:00:00 GMT
*    issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon
*    compression: NULL
* ALPN, server accepted to use http/1.1
> HEAD /images/412/ionity-cop.jpg HTTP/1.1
> Host: cdn.dmove.it
> User-Agent: curl/7.47.0
> Accept: */*
> Origin: https://www.dmove.it
>
< HTTP/1.1 200 OK
< Content-Type: image/jpeg
< Content-Length: 113702
< Connection: keep-alive
< Date: Sat, 04 Nov 2017 10:03:51 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD
< Access-Control-Max-Age: 3000
< Last-Modified: Fri, 03 Nov 2017 21:41:43 GMT
< ETag: "837db6c7a1ae9c54387629ff42fa3684"
< Cache-Control: max-age=315576000
< Accept-Ranges: bytes
< Server: AmazonS3
< Vary: Origin,Access-Control-Request-Headers,Access-Control-Request-Method
< Age: 620
< X-Cache: Hit from cloudfront
< Via: 1.1 4f95eb10423b781564e79d7c85f85795.cloudfront.net (CloudFront)
< X-Amz-Cf-Id: VDsmZGCzxLz5T9RCPlspCb2zyzjo7US-N5tsb605ojM3fv0jXxafxQ==
<

网站为https://www.dmove.it,分发为带有云端的S3,我在分发设置中将标题列入白名单。

怎么了?

1 个答案:

答案 0 :(得分:0)

您可能在没有设置CORS标头的情况下点击Cloudfront缓存响应。您的浏览器也可以重复使用没有设置CORS标头的缓存响应。

添加Cloudfront&#34; Edge-To-Origin&#34; Origin头在每个请求(xhr或非xhr)上强制CORS响应头:

Origin ---> http://sub.domain.com