JSON有效负载中的URL导致CORS问题

时间:2020-10-15 13:34:29

标签: express cors

我为应用程序提供了一个带有React前端的GraphQL后端。 CORS策略设置为仅允许前端https://my.server:443访问后端https://my.server:4444,并且在大多数情况下都可以正常工作。

我的Express.js服务器启动如下:

server.start(
  {
    cors: {
      credentials: true,
      origin: [ "https://my.server" ]
    },
  },
  (deets) => {
    console.log(`Server is now running on port http://localhost:${deets.port}`);
  }
);

当我使用包含URL的有效负载向API发出POST请求时,会收到CORS错误。这是对话:

OPTIONS请求:

OPTIONS / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Referer: https://my.server/qualifications
Origin: https://my.server
Connection: keep-alive
TE: Trailers

响应:

HTTP/2 204 No Content
date: Thu, 15 Oct 2020 12:16:25 GMT
x-powered-by: Express
access-control-allow-origin: https://my.server
vary: Origin, Access-Control-Request-Headers
access-control-allow-credentials: true
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-headers: content-type
X-Firefox-Spdy: h2

POST请求:

POST / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 616
Origin: https://my.server
Referer: https://my.server/qualifications
Connection: keep-alive
Cookie: token=eyJhbGc<removed-jwt>gmWVO_I68
TE: Trailers

有效负载:

{
  "operationName": "UPDATE_QUALIFICATION_MUTATION",
  "variables": {
    "id": "ckf54v5lm0dck07821octvj4b",
    "name": "MBA",
    "description": "Testing Links",
    "link": "http://www.google.com"                          <---- URL in payload
  },
  "query": "mutation UPDATE_QUALIFICATION_MUTATION($id: ID!, $name: String, $link: String, $description: String, $company: CompanyUpdateOneInput) {\n  updateQualification(where: {id: $id}, data: {name: $name, link: $link, description: $description, company: $company}) {\n    id\n    name\n    description\n    link\n    company {\n      id\n      name\n      __typename\n    }\n    __typename\n  }\n}\n"
  }

响应:

HTTP/2 403 Forbidden
server: awselb/2.0
date: Thu, 15 Oct 2020 12:16:25 GMT
content-type: text/html
content-length: 118
X-Firefox-Spdy: h2

好吧...这次不使用URL再次尝试...

让我感到困惑的是,当我执行相同的操作时,除了包含URL的一个字段之外,我得到了:

OPTIONS请求:

OPTIONS / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Referer: https://my.server/qualifications
Origin: https://my.server
Connection: keep-alive
TE: Trailers

响应:

HTTP/2 204 No Content
date: Thu, 15 Oct 2020 13:07:41 GMT
x-powered-by: Express
access-control-allow-origin: https://my.server
vary: Origin, Access-Control-Request-Headers
access-control-allow-credentials: true
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-headers: content-type
X-Firefox-Spdy: h2

POST请求:

POST / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 560
Origin: https://my.server
Referer: https://my.server/qualifications
Connection: keep-alive
Cookie: token=eyJhbG<removed-jwt>WVO_I68
TE: Trailers

具有有效载荷:

{
  "operationName": "UPDATE_QUALIFICATION_MUTATION",
  "variables": {
    "id": "ckf54v5lm0dck07821octvj4b",
    "name": "MBA",
    "description": "Testing Links",
    "link": "not-a-url"                                <---- THIS CHANGED
  },
  "query": "mutation UPDATE_QUALIFICATION_MUTATION($id: ID!, $name: String, $link: String, $description: String, $company: CompanyUpdateOneInput) {\n  updateQualification(where: {id: $id}, data: {name: $name, link: $link, description: $description, company: $company}) {\n    id\n    name\n    description\n    link\n    company {\n      id\n      name\n      __typename\n    }\n    __typename\n  }\n}\n"
  }

响应:

HTTP/2 200 OK
date: Thu, 15 Oct 2020 13:07:41 GMT
content-type: application/json
content-length: 173
x-powered-by: Express
access-control-allow-origin: https://my.server
vary: Origin
access-control-allow-credentials: true
X-Firefox-Spdy: h2

现在可以正常使用了吗?除了其他问题,我还有其他问题:

  • 请求的JSON负载如何影响CORS?
  • 我的Express服务器CORS配置中是否缺少某些内容?
  • 在有效载荷中发送URL是否存在某种普遍的问题?
  • 如果是,是否有建议的解决方法? (我只是打算在前端对它进行base64编码/解码,但是这样做似乎是“错误的”!)

任何指针将不胜感激!

1 个答案:

答案 0 :(得分:0)

我们今天偶然发现了一个类似的问题。

事实证明,在我们的案例中,这是由拒绝请求的 WAF 配置引起的。我们在分析 WAF 采样和负载均衡器日志后发现。

祝你好运!

相关问题
最新问题