问题描述
我写一个Web应用程序使用REST的API的一些服务。该API可在的https://api.example 并在应用程序的https:/ /app.example 。采用CORS简单的GET请求都工作得很好的Chrome和Firefox浏览器。一些方法通过POST接收数据并返回303 code与新的URI在Location头。
I am writing a web application for some service using RESTful API. The API is available at https://api.example and app at https://app.example. Simple GET requests using CORS are working just fine in Chrome and Firefox. Some method accept data via POST and return 303 code with new uri in Location header.
preflight OPTIONS请求是精细:
Preflight OPTIONS request is fine:
Request Method:OPTIONS
Status Code:200 OK
请求头
Accept:*/*
Accept-Charset:UTF-8,*;q=0.5
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8,ru;q=0.6
Access-Control-Request-Headers:origin, authorization, content-type
Access-Control-Request-Method:POST
Connection:keep-alive
DNT:1
Host:api.example
Origin:https://app.example
Referer:https://app.example/app/
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.32 (KHTML, like Gecko) Chrome/27.0.1425.0 Safari/537.32 SUSE/27.0.1425.0
响应头
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Authorization, Content-Type
Access-Control-Allow-Methods:GET,POST,PUT,DELETE,HEAD,OPTIONS
Access-Control-Allow-Origin:https://app.example
Access-Control-Expose-Headers:*
Access-Control-Max-Age:3628800
Connection:keep-alive
Content-Length:0
Date:Sun, 05 May 2013 15:22:50 GMT
Server:nginx/1.2.5
然后实际的请求接收303后,就停止:
Then the actual request just stop after receiving 303:
Request URL:https://api.example
Request Method:POST
Status Code:HTTP/1.1 303 See Other
性反应的标题:
Responce headers:
Server:nginx/1.2.5
Location:https://api.example/some_url
Date:Sun, 05 May 2013 15:27:49 GMT
Content-Type:application/json
Content-Length:0
Connection:keep-alive
Access-Control-Max-Age:3628800
Access-Control-Expose-Headers:*
Access-Control-Allow-Origin:https://app.example
Access-Control-Allow-Methods:GET,POST,PUT,DELETE,HEAD,OPTIONS
Access-Control-Allow-Headers:Authorization, Content-Type
Access-Control-Allow-Credentials:true
通过RFC用户代理应该遵循重定向,而Chrome和FF似乎并不像预期的那样。它是一个浏览器的错误或我做错了什么?
By RFC user agent should follow redirects, but Chrome and FF seems doesn't behave as expected. Is it a browsers' bug or I am doing something wrong?
更新:如果我开始用铬--disable-网络安全的一切工作正常。
update: If I start chromium with --disable-web-security everything works fine.
推荐答案
我一直在摔跤这个。看来,3xx的重定向为preflighted CORS请求的规范是被禁止的。
I've been wrestling with this, too. It appears that 3xx redirects for preflighted CORS requests are forbidden by the spec.
从规格:
(步骤1和2。详细的preflighting过程。而我们就来一步...)的
... 3。这是在实际要求。应用提出要求的步骤和观察 中的请求规则的同时提出请求如下:
如果应答的HTTP状态code 301,302,303,307,或308 应用缓存和网络错误步骤。
然后,如果我们滚动到 HTTP:/ /www.w3.org/TR/cors/#cache-and-network-error-steps :
And then if we scroll on down to http://www.w3.org/TR/cors/#cache-and-network-error-steps:
每当被应用在网络错误步骤,终止算法 调用这个组步骤,并设置跨域请求状态 网络错误。
注:这对用户凭据设置没有任何影响。即如果块 饼干标志没有设置,饼干将由响应进行设置。的
Note: This has no effect on setting of user credentials. I.e. if the block cookies flag is unset, cookies will be set by the response.
每当被应用在缓存和网络错误步骤,请按照下列 步骤:
Whenever the cache and network error steps are applied, follow these steps:
删除条目,在preflight结果缓存在哪里起源场 值是区分大小写的匹配源产地和URL字段值 是区分大小写的匹配请求URL。
Remove the entries in the preflight result cache where origin field value is a case-sensitive match for source origin and url field value is a case-sensitive match for request URL.
应用网络错误的步骤行事,就好像调用该算法 高速缓存和网络错误步骤调用了网络错误的步骤 代替。
Apply the network error steps acting as if the algorithm that invoked the cache and network error steps invoked the network error steps instead.
(重点取自DOC)的
3xx的重定向,但是,允许简单的CORS请求。
3xx redirects are, however, permitted for simple CORS requests.
这篇关于为什么浏览器不使用XMLHTT prequest和CORS跟踪重定向?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!