我发现这个问题Cookie is not sent in XHR request / cross-domain似乎是相同的,这个答案(https://stackoverflow.com/a/25861695/500902)有点相关(Cross-Domain Cookies),暗示部分答案是{ {1}}标头。
我有一个Web服务和一个javascript SPA(使用Angular)。我可以将服务和静态javascript文件部署到Docker容器中,以便从Access-Control-Allow-Origin
交付Angular应用程序和服务,并且一切正常。
但是现在我在http://localhost:9999
上建立了一个用于本地开发的本地Angular服务器。我有一些配置设置,因此本地Angular应用知道该服务位于http://localhost:4200
无论哪种情况,我的第一个请求都只是检索角度应用程序和index.html。
http://localhost:9999
现在,Angular应用程序对服务进行了第一个XHR(在9999上),它使用Set-Cookie响应标头进行回复。
General
Request URL: http://localhost:4200/login
Request Method: GET
Status Code: 304 Not Modified
Remote Address: 127.0.0.1:4200
Referrer Policy: no-referrer-when-downgrade
Response Headers
Accept-Ranges: bytes
Access-Control-Allow-Origin: * <-- Added by Angular (I'm guessing) for local 'ng serve'
Content-Length: 879
Content-Type: text/html; charset=UTF-8
Date: Wed, 04 Dec 2019 21:04:15 GMT
在一些用户交互之后,发送了POST请求,
General
Request URL: http://localhost:9999/accounts/rest/accounts/botchallengeendpoint
Request Method: GET
Status Code: 200
Remote Address: 127.0.0.1:9999
Referrer Policy: no-referrer-when-downgrade
Response Headers
Access-Control-Allow-Origin: * <-- Added by CorsFilter in tomcat, to all responses
Content-Length: 114
Content-Type: application/json
Date: Wed, 04 Dec 2019 21:04:18 GMT
Set-Cookie: JSESSIONID=E92A9BEAEA8D391475FF28F0D5223079; Path=/accounts; HttpOnly
所有内容均为9999时,请求中的区别如下所示
General
Request URL: http://localhost:9999/accounts/rest/sessions
Request Method: POST
Status Code: 200
Remote Address: 127.0.0.1:9999
Referrer Policy: no-referrer-when-downgrade
Response Headers:
<snip> irrelevant
Request Headers:
Access-Control-Allow-Origin: *
Content-Length: 58
Content-Type: application/json
Date: Wed, 04 Dec 2019 21:26:13 GMT
Request Headers
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 89
Content-Type: application/json
DNT: 1
Host: localhost:9999
Origin: http://localhost:4200
Referer: http://localhost:4200/login
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
未发送COOKIE的差异导致失败。请注意,第二个XHR请求的来源与第一个相同。我相对可以肯定,直到一周左右之前一切都正常,所以我想知道Chrome的某些更新是否改变了某些行为。无论如何,我是否可以从服务器提供其他标头,以允许本地Angular Web应用程序将Cookie发送到服务?我们仅在部署到本地容器中进行开发时才添加Cookie: JSESSIONID=1F86DA682FAE370768B1C3B7BB2AF263
Host: localhost:9999
Origin: http://localhost:9999
Referer: http://localhost:9999/accounts/accounts-management/login
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
,所以没有安全问题。它使进行角度开发变得更加方便,或者至少在以前使角度开发更加方便,以允许本地JS应用程序与已部署的JS应用程序相同。