CORS Access-Control-Allow-Headers wildcard being ignored?
我无法使用Chrome获得跨域CORS请求以正常工作。
请求标题:
1 2 3 4 5 6 7 8 | Accept:*/* Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3 Accept-Encoding:gzip,deflate,sdch Accept-Language:en-US,en;q=0.8 Access-Control-Request-Headers:origin, content-type Access-Control-Request-Method:POST Connection:keep-alive User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4 |
响应标头:
1 2 3 4 5 6 | Access-Control-Allow-Headers:* Access-Control-Allow-Origin:* Allow:GET, POST, OPTIONS Content-Length:0 Date:Tue, 30 Oct 2012 20:04:28 GMT Server:BaseHTTP/0.3 Python/2.7.3 |
错误:
1 | XMLHttpRequest cannot load domain. Request header field Content-Type is not allowed by Access-Control-Allow-Headers. |
并且为选项请求提供的python代码是:
1 2 3 4 5 6 | self.send_response(200) self.send_header('Allow', 'GET, POST, OPTIONS') self.send_header('Access-Control-Allow-Origin', '*') self.send_header('Access-Control-Allow-Headers', '*') self.send_header('Content-Length', '0') self.end_headers() |
似乎
仅在2016年5月,
如果您期望大量标头,则可以读取
那些CORS头不支持
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | <IfModule mod_headers.c> Header unset Connection Header unset Time-Zone Header unset Keep-Alive Header unset Access-Control-Allow-Origin Header unset Access-Control-Allow-Headers Header unset Access-Control-Expose-Headers Header unset Access-Control-Allow-Methods Header unset Access-Control-Allow-Credentials Header set Connection keep-alive Header set Time-Zone "Asia/Jerusalem" Header set Keep-Alive timeout=100,max=500 Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Headers "Accept, Accept-CH, Accept-Charset, Accept-Datetime, Accept-Encoding, Accept-Ext, Accept-Features, Accept-Language, Accept-Params, Accept-Ranges, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Request-Headers, Access-Control-Request-Method, Age, Allow, Alternates, Authentication-Info, Authorization, C-Ext, C-Man, C-Opt, C-PEP, C-PEP-Info, CONNECT, Cache-Control, Compliance, Connection, Content-Base, Content-Disposition, Content-Encoding, Content-ID, Content-Language, Content-Length, Content-Location, Content-MD5, Content-Range, Content-Script-Type, Content-Security-Policy, Content-Style-Type, Content-Transfer-Encoding, Content-Type, Content-Version, Cookie, Cost, DAV, DELETE, DNT, DPR, Date, Default-Style, Delta-Base, Depth, Derived-From, Destination, Differential-ID, Digest, ETag, Expect, Expires, Ext, From, GET, GetProfile, HEAD, HTTP-date, Host, IM, If, If-Match, If-Modified-Since, If-None-Match, If-Range, If-Unmodified-Since, Keep-Alive, Label, Last-Event-ID, Last-Modified, Link, Location, Lock-Token, MIME-Version, Man, Max-Forwards, Media-Range, Message-ID, Meter, Negotiate, Non-Compliance, OPTION, OPTIONS, OWS, Opt, Optional, Ordering-Type, Origin, Overwrite, P3P, PEP, PICS-Label, POST, PUT, Pep-Info, Permanent, Position, Pragma, ProfileObject, Protocol, Protocol-Query, Protocol-Request, Proxy-Authenticate, Proxy-Authentication-Info, Proxy-Authorization, Proxy-Features, Proxy-Instruction, Public, RWS, Range, Referer, Refresh, Resolution-Hint, Resolver-Location, Retry-After, Safe, Sec-Websocket-Extensions, Sec-Websocket-Key, Sec-Websocket-Origin, Sec-Websocket-Protocol, Sec-Websocket-Version, Security-Scheme, Server, Set-Cookie, Set-Cookie2, SetProfile, SoapAction, Status, Status-URI, Strict-Transport-Security, SubOK, Subst, Surrogate-Capability, Surrogate-Control, TCN, TE, TRACE, Timeout, Title, Trailer, Transfer-Encoding, UA-Color, UA-Media, UA-Pixels, UA-Resolution, UA-Windowpixels, URI, Upgrade, User-Agent, Variant-Vary, Vary, Version, Via, Viewport-Width, WWW-Authenticate, Want-Digest, Warning, Width, X-Content-Duration, X-Content-Security-Policy, X-Content-Type-Options, X-CustomHeader, X-DNSPrefetch-Control, X-Forwarded-For, X-Forwarded-Port, X-Forwarded-Proto, X-Frame-Options, X-Modified, X-OTHER, X-PING, X-PINGOTHER, X-Powered-By, X-Requested-With" Header set Access-Control-Expose-Headers "Accept, Accept-CH, Accept-Charset, Accept-Datetime, Accept-Encoding, Accept-Ext, Accept-Features, Accept-Language, Accept-Params, Accept-Ranges, Access-Control-Allow-Credentials, Access-Control-Allow-Headers, Access-Control-Allow-Methods, Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Request-Headers, Access-Control-Request-Method, Age, Allow, Alternates, Authentication-Info, Authorization, C-Ext, C-Man, C-Opt, C-PEP, C-PEP-Info, CONNECT, Cache-Control, Compliance, Connection, Content-Base, Content-Disposition, Content-Encoding, Content-ID, Content-Language, Content-Length, Content-Location, Content-MD5, Content-Range, Content-Script-Type, Content-Security-Policy, Content-Style-Type, Content-Transfer-Encoding, Content-Type, Content-Version, Cookie, Cost, DAV, DELETE, DNT, DPR, Date, Default-Style, Delta-Base, Depth, Derived-From, Destination, Differential-ID, Digest, ETag, Expect, Expires, Ext, From, GET, GetProfile, HEAD, HTTP-date, Host, IM, If, If-Match, If-Modified-Since, If-None-Match, If-Range, If-Unmodified-Since, Keep-Alive, Label, Last-Event-ID, Last-Modified, Link, Location, Lock-Token, MIME-Version, Man, Max-Forwards, Media-Range, Message-ID, Meter, Negotiate, Non-Compliance, OPTION, OPTIONS, OWS, Opt, Optional, Ordering-Type, Origin, Overwrite, P3P, PEP, PICS-Label, POST, PUT, Pep-Info, Permanent, Position, Pragma, ProfileObject, Protocol, Protocol-Query, Protocol-Request, Proxy-Authenticate, Proxy-Authentication-Info, Proxy-Authorization, Proxy-Features, Proxy-Instruction, Public, RWS, Range, Referer, Refresh, Resolution-Hint, Resolver-Location, Retry-After, Safe, Sec-Websocket-Extensions, Sec-Websocket-Key, Sec-Websocket-Origin, Sec-Websocket-Protocol, Sec-Websocket-Version, Security-Scheme, Server, Set-Cookie, Set-Cookie2, SetProfile, SoapAction, Status, Status-URI, Strict-Transport-Security, SubOK, Subst, Surrogate-Capability, Surrogate-Control, TCN, TE, TRACE, Timeout, Title, Trailer, Transfer-Encoding, UA-Color, UA-Media, UA-Pixels, UA-Resolution, UA-Windowpixels, URI, Upgrade, User-Agent, Variant-Vary, Vary, Version, Via, Viewport-Width, WWW-Authenticate, Want-Digest, Warning, Width, X-Content-Duration, X-Content-Security-Policy, X-Content-Type-Options, X-CustomHeader, X-DNSPrefetch-Control, X-Forwarded-For, X-Forwarded-Port, X-Forwarded-Proto, X-Frame-Options, X-Modified, X-OTHER, X-PING, X-PINGOTHER, X-Powered-By, X-Requested-With" Header set Access-Control-Allow-Methods "CONNECT, DEBUG, DELETE, DONE, GET, HEAD, HTTP, HTTP/0.9, HTTP/1.0, HTTP/1.1, HTTP/2, OPTIONS, ORIGIN, ORIGINS, PATCH, POST, PUT, QUIC, REST, SESSION, SHOULD, SPDY, TRACE, TRACK" Header set Access-Control-Allow-Credentials "true" Header set DNT"0" Header set Accept-Ranges"bytes" Header set Vary"Accept-Encoding" Header set X-UA-Compatible"IE=edge,chrome=1" Header set X-Frame-Options"SAMEORIGIN" Header set X-Content-Type-Options"nosniff" Header set X-Xss-Protection"1; mode=block" </IfModule> |
常问问题:
-
为什么
Access-Control-Allow-Headers ,Access-Control-Expose-Headers ,Access-Control-Allow-Methods 值超长?那些不支持
* 语法,所以我收集了来自网络的最常见(和异国情调)标题,各种格式#1#2#3 (我将更新列表从时间到时间) -
为什么使用
Header unset ______ 语法?GoDaddy服务器(我的网站托管在......)有一个奇怪的错误,如果标题已经设置,前一个值将加入现有的..(而不是替换它)这样我"预先清理"现有的值(实际上只是一个快速和肮脏的解决方案)
-
我可以安全地使用'原样'吗?
嗯..大多数答案都是肯定的,因为
.htaccess 将标题限制为脚本(PHP,HTML,...)和从以下"文件夹"提供的资源(.JPG,.JS,.CSS) - 地点。您可以选择删除Access-Control-Allow-Methods 行。Connection ,Time-Zone ,Keep-Alive 和DNT ,Accept-Ranges ,Vary ,X-UA-Compatible ,X-Frame-Options ,X-Content-Type-Options 和X-Xss-Protection 只是我的建议用于我的在线服务..随意删除那些......
取自我上面的评论
我发现只应为OPTIONS请求设置
如果你将它返回POST请求,那么浏览器会取消请求(至少对于chrome)
以下PHP代码适用于我
1 2 3 4 5 6 7 8 9 10 | // Allow CORS if (isset($_SERVER['HTTP_ORIGIN'])) { header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}"); header('Access-Control-Allow-Credentials: true'); header("Access-Control-Allow-Methods: GET, POST, OPTIONS"); } // Access-Control headers are received during OPTIONS requests if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') { header("Access-Control-Allow-Headers: *"); } |
我发现了类似的问题和一些误导性的反应:
-
服务器线程说这是2年的chrome错误:
Access-Control-Allow-Headers 与localhost不匹配。这是错的:我可以正常使用CORS到我的本地服务器 -
Access-Control-Allow-Headers 确实接受通配符。这也是错的,通配符适用于我(我只测试过Chrome)
我花了半天时间来弄清楚这个问题。
快乐的编码
引自monsur,
The Access-Control-Allow-Headers header does not allow wildcards. It
must be an exact match:
http://www.w3.org/TR/cors/#access-control-allow-headers-response-header.
所以这是我的php解决方案。
1 2 3 4 5 | if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') { $headers=getallheaders(); @$ACRH=$headers["Access-Control-Request-Headers"]; header("Access-Control-Allow-Headers: $ACRH"); } |
这里是nginx的咒语,里面是
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | location / { # Simple requests if ($request_method ~*"(GET|POST)") { add_header"Access-Control-Allow-Origin" *; } # Preflighted requests if ($request_method = OPTIONS ) { add_header"Access-Control-Allow-Origin" *; add_header"Access-Control-Allow-Methods""GET, POST, OPTIONS, HEAD"; add_header"Access-Control-Allow-Headers""Authorization, Origin, X-Requested-With, Content-Type, Accept"; } } |