CORS 不适用于 javascript 文件内的请求
CORS not working for a request made inside a javascript file
我为我的静态子域配置了 CORS,我可以在我的主域和子域中使用静态文件。
问题是我在 javascript 文件中有一个获取请求,而 firefox 仅针对该请求抱怨,即与我在 [=48] 上发出的其余请求相同的静态子域=]代码。
我不记得以前有过这个问题,也许 CORS (firefox) 的某些更改使它不再起作用?
脚本(来自 .js 文件内部):
$('#example').DataTable( {
//[...]
language: {
"url": "//static.domain.com/js/DataTables-Spanish.json"
},
//[...]
} );
这是它实际做的,一个jquery ajax 请求方法:
if ( oLanguage.sUrl !== "" )
{
/* Get the language definitions from a file - because this Ajax call makes the language
* get async to the remainder of this function we use bInitHandedOff to indicate that
* _fnInitialise will be fired by the returned Ajax handler, rather than the constructor
*/
$.ajax( {
dataType: 'json',
url: oLanguage.sUrl,
success: function ( json ) {
_fnLanguageCompat( json );
_fnCamelToHungarian( defaults.oLanguage, json );
$.extend( true, oLanguage, json );
_fnInitialise( oSettings );
},
error: function () {
// Error occurred loading language file, continue on as best we can
_fnInitialise( oSettings );
}
} );
bInitHandedOff = true;
}
firefox控制台报错:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://static.mydomain.com/js/DataTables-Spanish.json. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
CORS 配置(在虚拟主机块内):
<IfModule mod_headers.c>
SetEnvIfNoCase Origin: "https?://(www\.)?(domain\.com|sub1\.domain\.com)(:\d+)?$" ACAO=[=14=]
Header set Access-Control-Allow-Origin: "%{ACAO}e" env=ACAO
Header set Access-Control-Allow-Methods: "GET"
</IfModule>
同样,如您所见,CORS 在静态子域中已正确配置,我只收到 javascript 文件中的请求的投诉。
为什么 firefox 抱怨?
Firefox 网络监视器
Status: 200 - Method: GET - File: DataTables-Spanish.json - Domain: (green lock) static.domain.com - Cause: script - Type: json
-Request headers:
Host: static.domain.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en,en-US;q=0.7,es;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://sub1.domain.com/site
Origin: https://sub1.domain.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-Response headers:
Accept-Ranges: bytes
Content-Length: 932
Content-Type: application/json
Date: Fri, 06 Jan 2017 02:34:49 GMT
Etag: "3a4-52ef9645b6940"
Last-Modified: Sat, 26 Mar 2016 20:19:09 GMT
Server: Apache/2.4.25 (Unix) OpenSSL/1.0.2j
X-Firefox-Spdy: h2
access-control-allow-methods: GET
strict-transport-security: max-age=63072000; includeSubdomains;
编辑:如果我在配置中使用通配符而不是正则表达式,它工作正常:
<IfModule mod_headers.c>
#SetEnvIfNoCase Origin: "https?://(www\.)?(domain\.com|sub1\.domain\.com)(:\d+)?$" ACAO=[=16=]
#Header set Access-Control-Allow-Origin: "%{ACAO}e" env=ACAO
Header set Access-Control-Allow-Origin: *
Header set Access-Control-Allow-Methods: "GET"
</IfModule>
所以现在的问题是:为什么它不能使用正则表达式?
如果我把 header 放在最后一行,它将与正则表达式一起工作:
<IfModule mod_headers.c>
SetEnvIf Origin "https://(www.domain.com|sub1.domain.com|auth.domain.com)$" ACAO=[=17=]
Header set Access-Control-Allow-Methods "GET"
Header always append Access-Control-Allow-Origin "%{ACAO}e" env=ACAO
</IfModule>
问题是我从另一个问题中获取了代码,但没有注意到以下内容:
SetEnvIfNoCase
这与我想要的正好相反,即将正则表达式中的域列入白名单:
SetEnvIf Origin "https://(www.domain.com|sub1.domain.com|auth.domain.com)$" ACAO=[=11=]
Header always append Access-Control-Allow-Origin "%{ACAO}e" env=ACAO
Header set Access-Control-Allow-Methods "GET"
其他 html 请求不应被 cors 阻止,这就是原因。
我为我的静态子域配置了 CORS,我可以在我的主域和子域中使用静态文件。
问题是我在 javascript 文件中有一个获取请求,而 firefox 仅针对该请求抱怨,即与我在 [=48] 上发出的其余请求相同的静态子域=]代码。
我不记得以前有过这个问题,也许 CORS (firefox) 的某些更改使它不再起作用?
脚本(来自 .js 文件内部):
$('#example').DataTable( {
//[...]
language: {
"url": "//static.domain.com/js/DataTables-Spanish.json"
},
//[...]
} );
这是它实际做的,一个jquery ajax 请求方法:
if ( oLanguage.sUrl !== "" )
{
/* Get the language definitions from a file - because this Ajax call makes the language
* get async to the remainder of this function we use bInitHandedOff to indicate that
* _fnInitialise will be fired by the returned Ajax handler, rather than the constructor
*/
$.ajax( {
dataType: 'json',
url: oLanguage.sUrl,
success: function ( json ) {
_fnLanguageCompat( json );
_fnCamelToHungarian( defaults.oLanguage, json );
$.extend( true, oLanguage, json );
_fnInitialise( oSettings );
},
error: function () {
// Error occurred loading language file, continue on as best we can
_fnInitialise( oSettings );
}
} );
bInitHandedOff = true;
}
firefox控制台报错:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://static.mydomain.com/js/DataTables-Spanish.json. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
CORS 配置(在虚拟主机块内):
<IfModule mod_headers.c>
SetEnvIfNoCase Origin: "https?://(www\.)?(domain\.com|sub1\.domain\.com)(:\d+)?$" ACAO=[=14=]
Header set Access-Control-Allow-Origin: "%{ACAO}e" env=ACAO
Header set Access-Control-Allow-Methods: "GET"
</IfModule>
同样,如您所见,CORS 在静态子域中已正确配置,我只收到 javascript 文件中的请求的投诉。
为什么 firefox 抱怨?
Firefox 网络监视器
Status: 200 - Method: GET - File: DataTables-Spanish.json - Domain: (green lock) static.domain.com - Cause: script - Type: json
-Request headers:
Host: static.domain.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en,en-US;q=0.7,es;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://sub1.domain.com/site
Origin: https://sub1.domain.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-Response headers:
Accept-Ranges: bytes
Content-Length: 932
Content-Type: application/json
Date: Fri, 06 Jan 2017 02:34:49 GMT
Etag: "3a4-52ef9645b6940"
Last-Modified: Sat, 26 Mar 2016 20:19:09 GMT
Server: Apache/2.4.25 (Unix) OpenSSL/1.0.2j
X-Firefox-Spdy: h2
access-control-allow-methods: GET
strict-transport-security: max-age=63072000; includeSubdomains;
编辑:如果我在配置中使用通配符而不是正则表达式,它工作正常:
<IfModule mod_headers.c>
#SetEnvIfNoCase Origin: "https?://(www\.)?(domain\.com|sub1\.domain\.com)(:\d+)?$" ACAO=[=16=]
#Header set Access-Control-Allow-Origin: "%{ACAO}e" env=ACAO
Header set Access-Control-Allow-Origin: *
Header set Access-Control-Allow-Methods: "GET"
</IfModule>
所以现在的问题是:为什么它不能使用正则表达式?
如果我把 header 放在最后一行,它将与正则表达式一起工作:
<IfModule mod_headers.c>
SetEnvIf Origin "https://(www.domain.com|sub1.domain.com|auth.domain.com)$" ACAO=[=17=]
Header set Access-Control-Allow-Methods "GET"
Header always append Access-Control-Allow-Origin "%{ACAO}e" env=ACAO
</IfModule>
问题是我从另一个问题中获取了代码,但没有注意到以下内容:
SetEnvIfNoCase
这与我想要的正好相反,即将正则表达式中的域列入白名单:
SetEnvIf Origin "https://(www.domain.com|sub1.domain.com|auth.domain.com)$" ACAO=[=11=]
Header always append Access-Control-Allow-Origin "%{ACAO}e" env=ACAO
Header set Access-Control-Allow-Methods "GET"
其他 html 请求不应被 cors 阻止,这就是原因。