如何删除CORB警告?

时间:2019-03-14 02:15:59

标签: javascript jquery google-chrome cors cross-origin-read-blocking

Chrome一直可以使用到73版。现在,它向我抛出了CORB警告并停止了我的chrome扩展程序的运行。

这是我的ajax jQuery代码,没什么特别的

func ListServers() (map[string]map[string]interface{}, error) {
listOptions := servers.ListOpts{}
pager := servers.List(GetClientCompute(), listOptions)
err := pager.EachPage(func(page pagination.Page) (bool, error) {
    serverList, err := servers.ExtractServers(page)
    if err != nil {
        fmt.Println(err)
    }
    for _, s := range serverList {
        row["ID"] = s.ID                                 <---- error is here
        row["Name"] = s.Name                                 <---- error is here
        if s.Addresses["public"] != nil {
            for _, i := range s.Addresses["public"].([]interface{}) {
                temp := i.(map[string]interface{})
                if temp["version"].(float64) == 4 {
                    row["IP"] = temp["addr"]
                }
            }
        }
        t, _ := time.Parse(time.RFC3339, s.Created)
        row["Flavor"] = s.Flavor
        row["Created"] = time.Now().Sub(t)                                 <---- error is here
        row["Status"] = s.Status                                 <---- error is here
    }
    return false, nil
})
// fmt.Println(lists)
return row, err

我确实注意到,如果删除x-content-type-options标头,使其不再读取“ nosniff”,我可以得到一些Ajax请求,但不能返回其他请求。不知道这是否意味着什么,但我注意到返回数组的json请求有效,而其他请求则无效。 

  $.ajax({
    url: this.url + "api/users",
    type: 'get',
    data: { account_id: this.account_id(), user_id: this.user_id(), person_id: person_id },
    success: function (data) {
      //do stuff
    }
});

Chrome出现完全错误

remove_keys = %w(X-Content-Type-Options)
response.headers.delete_if{|key| remove_keys.include? key}

[{'id' : '123'}] <-worked
{'id' : '123'} <- did not work (not sure if means anything)

响应头

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://ideas.test/api/users?token=W9BDdoiKcXLWSHXWySnwdCV69jz2y&account_id=3098355&user_id=john%40gmail.com&person_id=21046915&sync=false&new=true with MIME type application/json. See https://www.chromestatus.com/feature/5629709824032768 for more details.

请求标头

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: x-auth_token
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD
Access-Control-Allow-Origin: chrome-extension://mhikhjencpecbhelhjgdcgpdhlhdlhjh
Access-Control-Expose-Headers: 
Access-Control-Max-Age: 1728000

如何在不因CORB而导致镀铬去除主体的情况下返回响应主体?

4 个答案:

答案 0 :(得分:1)

您似乎在请求中放入了CORS标头。您需要将它们放入响应中。

答案 1 :(得分:1)

我找到了解决方法。可能对某人来说是一个过大的杀伤力,但我花了15分钟才能解决所有问题。在内容脚本中,将所有的ajax调用包装到一个函数中:

将ajaxGet函数添加到您的内容脚本中:

function ajaxGet(data){
    return new Promise(function (resolve, reject) {
        chrome.runtime.sendMessage({action: 'ajaxGet', data: data}, function (response) {
            console.log(response)
            if(response&&!response.statusText){//Might need some work here
                resolve(response);
            } else {
                reject(response)
            }
        });
    });
}

然后在您的background.js中添加一个侦听器:

chrome.runtime.onMessage.addListener(function(request, sender, sendResponse) {
   if(request.action=="ajaxGet"){
       $.ajax(request.data).then(sendResponse,sendResponse)
       return true //telling chrome to wait till your ajax call resolves
   }
})

代替

$.ajax({
    url: this.url + "api/user_boards",
    type: 'get',
    data: { account_id: this.account_id()}
})

致电

ajaxGet({
    url: this.url + "api/user_boards",
    type: 'get',
    data: { account_id: this.account_id()}
}).then(onSuccess, onError) //handle response from here

如果您不想在background.js中使用jquery,则可以进行Xhr调用。像这样:

var data = JSON.stringify(false);

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener("readystatechange", function () {
  if (this.readyState === this.DONE) {
    console.log(this.responseText);
    sendResponse(this.responseText)
  } else {
    //handle errors
  }
});

xhr.open("GET", request.data.url);

xhr.send(data);

您将不得不自行解决标题。

答案 2 :(得分:0)

Chrome 73注入了一些新的安全性。只需尝试使用chrome.runtime.sendMessage将xHTTP请求移至后台脚本并通过SendResponse回调获得响应。

在内容或弹出脚本中,将ajax替换为:

chrome.runtime.sendMessage(
  { action: "check", data: {/* params for url */}}, 
  // callback with url response
  function(response) {
    if( response.success ) {
      var myDataFromUrl = response.data;
      ...
    } else {
      console.log('Error with `check`,', response.data);
    }
  }
);

来自后台脚本:

chrome.runtime.onMessage.addListener(
  function(request, sender, sendResponse) {
    var url = 'https://mysyte.com/';
    if(request.action === 'check' ) {
      url = url + 'check'
      ajax( url, request.data, 
        success: function( d ) {
          sendResponse({success: true, data: d});
        },
        error : function( d ) {
          sendResponse({success: false, data: d});
        }
      );
    }
});

function ajax( url, params, cbSuccess, cbError ) { ... }

答案 3 :(得分:0)

解决CSP和CORS问题后,我仍然收到关于OPTIONS方法调用的警告(对于跨域调用已完成)。

我通过将OPTIONS方法调用的内容类型(不返回任何数据)设置为“ application / octet-stream”,将其固定在服务器上。没有更多警告!

相关问题
最新问题