启用基本身份验证后,Safari上不允许跨源请求

时间:2019-07-31 02:37:02

标签: apache https safari cors basic-authentication

我遇到了这个问题,似乎只影响Safari(11.1)。相同的代码可以在Firefox和Chrome上正常运行。 当启用基本HTTP身份验证(在两个站点上)时,我正在尝试进行跨域Ajax请求。 Https也已启用。我在Macbook Pro上使用的是Apache 2.4.29。

设置是在本地计算机上运行两个测试站点foo.com和bar.com。 foo.com向驻留在bar.com上的json文件发出Ajax请求。如前所述,所有通信都是通过我用自签名证书设置的https进行的。

这是我的Apache配置

<VirtualHost *:443>
  ServerName foo.com
  DocumentRoot "/Users/richardhunter/development/cors-experiment/foo"
  ErrorLog "/private/var/log/apache2/foo-error-log"
  CustomLog "/private/var/log/apache2/foo-access-log" common
  SSLEngine on
  SSLCertificateFile "/Users/richardhunter/development/cors-experiment/certificates/foo/foo.crt"
  SSLCertificateKeyFile "/Users/richardhunter/development/cors-experiment/certificates/foo/foo.key"
  <Directory "/Users/richardhunter/development/cors-experiment/foo">
    AuthType Basic                            
    AuthName "Restricted Files"               
    AuthBasicProvider file                    
    AuthUserFile "/Users/richardhunter/development/cors-passwords"
    Require user richard  
  </Directory>
</VirtualHost>

<VirtualHost *:443>
  ServerName bar.com
  DocumentRoot "/Users/richardhunter/development/cors-experiment/bar"
  ErrorLog "/private/var/log/apache2/bar-error-log"
  CustomLog "/private/var/log/apache2/bar-access-log" common
  SSLEngine on
  SSLCertificateFile "/Users/richardhunter/development/cors-experiment/certificates/bar/bar.crt"
  SSLCertificateKeyFile "/Users/richardhunter/development/cors-experiment/certificates/bar/bar.key"
  Header set Access-Control-Allow-Origin "https://foo.com"
  Header set Access-Control-Allow-Credentials true

  <Directory "/Users/richardhunter/development/cors-experiment/bar">
    AuthType Basic    
    AuthName "Restricted Files"    
    AuthBasicProvider file    
    AuthUserFile "/Users/richardhunter/development/cors-passwords"
    Require user richard  
  </Directory>
</VirtualHost>

在Safari上,我在控制台中收到此错误:

TypeError: Origin https://foo.com is not allowed by Access-Control-Allow-Origin.
(anonymous function)

如果我关闭服务器上的身份验证,则该呼叫有效。错误日志中没有其他有用的东西了。

我希望可以在实时站点上的Safari上进行这种类型的跨域调用(不使用自签名证书),但是我不知道是这种情况。显然,我很想知道。我还希望我的本地环境尽可能地复制一个实时环境。

我的代码在this Github repo

0 个答案:

没有答案
相关问题
最新问题