IE11 CORS 拒绝 https 上的选项
IE11 CORS rejecting OPTIONS on https
IE11 出于某种原因拒绝 PUT 请求,但仅当我使用 https 时。
我很难找到问题,因为使用 http、localhost 和其他浏览器工作正常。
控制台显示两个错误
SEC7124: Request method PUT was not present in the Access-Control-Allow-Methods list.
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.
浏览器发送的OPTION请求是
Accept: */*
Accept-Encoding: gzip, deflate
Access-Control-Request-Headers: accept, content-type, session-id
Access-Control-Request-Method: PUT
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 0
Host: api.domain.com
Origin: https://portal.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
服务器的响应如下:
X-Powered-By: Servlet/2.5
Server: server
Content-Encoding: gzip
Access-Control-Expose-Headers: Session-Id
Access-Control-Allow-Origin: *
Access-Control-Max-Age: -1
Allow: OPTIONS,GET,HEAD,PUT
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, DELETE
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, Content-Type, session-id, authorization, portal-url
Content-Type: application/vnd.sun.wadl+xml
Content-Length: 352
Date: Tue, 19 Jan 2016 15:33:38 GMT
AngularJS 在客户端使用标准 $http PUT。
Java 在服务器端使用球衣,处理 CORS 的请求过滤器如下:
public ContainerResponse filter( final ContainerRequest request, final ContainerResponse response )
{
if ( request.getHeaderValue( "Origin" ) != null )
{
final MultivaluedMap<String, Object> headers = response.getHttpHeaders();
headers.add( "Access-Control-Allow-Origin", "*" );
headers.add( "Access-Control-Expose-Headers", "Session-Id" );
headers.add( "Access-Control-Allow-Credentials", Boolean.TRUE.toString() );
}
if ( "OPTIONS".equals( request.getMethod() ) )
{
final MultivaluedMap<String, Object> headers = response.getHttpHeaders();
for ( String method : ["OPTIONS", "GET", "POST", "PUT", "DELETE"] )
{
headers.add( "Access-Control-Allow-Methods", method );
}
headers.add( "Access-Control-Allow-Headers",
"accept, origin, Content-Type, session-id, authorization, portal-url, "
+ "If-Modified-Since, Cache-Control, Pragma" );
headers.add( "Access-Control-Max-Age", "-1" );
}
return response;
}
也许你能看出这有什么问题。
谢谢
我已经找到问题了。
我在 https 上看到这个问题只是因为门户和主机在不同的域上。我无法在本地主机上复制该问题,因为服务器和门户都在同一个域中。这意味着 OPTION 请求没有发送,一切都按预期工作。在 运行 localhost 上的门户并使用 IP 地址作为服务器 URL 而不是 localhost 之后,OPTION 请求包含在请求中,我可以复制我的问题。
问题本身归结为服务器上的以下代码
for ( String method : ["OPTIONS", "GET", "POST", "PUT", "DELETE"] )
{
headers.add( "Access-Control-Allow-Methods", method );
}
出于某种原因,IE 不喜欢多个 Access-Control-Allow-Methods headers。将代码更改为以下问题后解决了。
List<String> ALLOWED_METHODS = Arrays.asList( "OPTIONS", "GET", "POST", "PUT", "DELETE" );
headers.add( "Access-Control-Allow-Methods", ALLOWED_METHODS );
IE11 出于某种原因拒绝 PUT 请求,但仅当我使用 https 时。 我很难找到问题,因为使用 http、localhost 和其他浏览器工作正常。
控制台显示两个错误
SEC7124: Request method PUT was not present in the Access-Control-Allow-Methods list.
SCRIPT7002: XMLHttpRequest: Network Error 0x80070005, Access is denied.
浏览器发送的OPTION请求是
Accept: */*
Accept-Encoding: gzip, deflate
Access-Control-Request-Headers: accept, content-type, session-id
Access-Control-Request-Method: PUT
Cache-Control: no-cache
Connection: Keep-Alive
Content-Length: 0
Host: api.domain.com
Origin: https://portal.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
服务器的响应如下:
X-Powered-By: Servlet/2.5
Server: server
Content-Encoding: gzip
Access-Control-Expose-Headers: Session-Id
Access-Control-Allow-Origin: *
Access-Control-Max-Age: -1
Allow: OPTIONS,GET,HEAD,PUT
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, DELETE
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, Content-Type, session-id, authorization, portal-url
Content-Type: application/vnd.sun.wadl+xml
Content-Length: 352
Date: Tue, 19 Jan 2016 15:33:38 GMT
AngularJS 在客户端使用标准 $http PUT。 Java 在服务器端使用球衣,处理 CORS 的请求过滤器如下:
public ContainerResponse filter( final ContainerRequest request, final ContainerResponse response )
{
if ( request.getHeaderValue( "Origin" ) != null )
{
final MultivaluedMap<String, Object> headers = response.getHttpHeaders();
headers.add( "Access-Control-Allow-Origin", "*" );
headers.add( "Access-Control-Expose-Headers", "Session-Id" );
headers.add( "Access-Control-Allow-Credentials", Boolean.TRUE.toString() );
}
if ( "OPTIONS".equals( request.getMethod() ) )
{
final MultivaluedMap<String, Object> headers = response.getHttpHeaders();
for ( String method : ["OPTIONS", "GET", "POST", "PUT", "DELETE"] )
{
headers.add( "Access-Control-Allow-Methods", method );
}
headers.add( "Access-Control-Allow-Headers",
"accept, origin, Content-Type, session-id, authorization, portal-url, "
+ "If-Modified-Since, Cache-Control, Pragma" );
headers.add( "Access-Control-Max-Age", "-1" );
}
return response;
}
也许你能看出这有什么问题。
谢谢
我已经找到问题了。
我在 https 上看到这个问题只是因为门户和主机在不同的域上。我无法在本地主机上复制该问题,因为服务器和门户都在同一个域中。这意味着 OPTION 请求没有发送,一切都按预期工作。在 运行 localhost 上的门户并使用 IP 地址作为服务器 URL 而不是 localhost 之后,OPTION 请求包含在请求中,我可以复制我的问题。
问题本身归结为服务器上的以下代码
for ( String method : ["OPTIONS", "GET", "POST", "PUT", "DELETE"] )
{
headers.add( "Access-Control-Allow-Methods", method );
}
出于某种原因,IE 不喜欢多个 Access-Control-Allow-Methods headers。将代码更改为以下问题后解决了。
List<String> ALLOWED_METHODS = Arrays.asList( "OPTIONS", "GET", "POST", "PUT", "DELETE" );
headers.add( "Access-Control-Allow-Methods", ALLOWED_METHODS );