即使有原始政策,CORS 问题
CORS issue even with origin policies
我在自定义域后面的 AWS Cloudfront 上托管了一些字体。
我有这个作为 s3 CORS 策略
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*.dabster.io</AllowedOrigin>
<AllowedOrigin>dabster.io</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
在 Cloudfront Behaviors 上我有以下设置
- 查看器协议策略:HTTP 和 HTTPS
- 允许的 HTTP 方法:GET、HEAD、OPTIONS
- 转发Headers : 白名单
- Access-Control-Request-Headers
- Access-Control-Request-Method
- 来源
我收到的错误是
Access to Font at
'https://cdn.dabster.io/assets/fonts/fontawesome-webfont.ttf?v=4.7.0'
from origin 'https://dabster.io' has been blocked by CORS policy: No
'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'https://dabster.io' is therefore not allowed access.
您可以在 https://dabster.io and https://www.dabster.io
查看错误
curl -I -s -X GET -H "Origin: dabster.io" https://cdn.dabster.io/assets/fonts/fontawesome-webfont.ttf\?v\=4.7.0
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 165548
Connection: keep-alive
Date: Sun, 07 May 2017 09:26:57 GMT
Access-Control-Allow-Origin: dabster.io
Access-Control-Allow-Methods: GET, HEAD
Access-Control-Max-Age: 3000
Access-Control-Allow-Credentials: true
Last-Modified: Fri, 05 May 2017 14:04:16 GMT
ETag: "b06871f281fee6b241d60582ae9369b9"
Accept-Ranges: bytes
Server: AmazonS3
Vary: Origin,Access-Control-Request-Headers,Access-Control-Request-Method
X-Cache: Miss from cloudfront
Via: 1.1 d674762e43fd40650eec6e201e4316a2.cloudfront.net (CloudFront)
X-Amz-Cf-Id: JYxW4fs2Ijgt_wEnl-DQ6Yqz_qPYbwaWZSZyRjrnKQ_yje__n3skkA==
我也在回复中收到 headers。
请阐明这一点
原始值必须包含协议部分——https:// 或 http://。所以你需要这样做:
<AllowedOrigin>https://dabster.io</AllowedOrigin>
您的 curl 测试成功的原因是您发送的 Origin header 没有协议部分。
但是浏览器会发送 Origin header 协议部分;例如,Origin: https://dabster.io.
因此,由于您当前已经配置了一些东西,如果您包含以下协议,您的 curl 测试也会失败:
curl -I -s -X GET -H "Origin: https://dabster.io" \
https://cdn.dabster.io/assets/fonts/fontawesome-webfont.ttf\?v\=4.7.0
我在自定义域后面的 AWS Cloudfront 上托管了一些字体。
我有这个作为 s3 CORS 策略
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*.dabster.io</AllowedOrigin>
<AllowedOrigin>dabster.io</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
在 Cloudfront Behaviors 上我有以下设置
- 查看器协议策略:HTTP 和 HTTPS
- 允许的 HTTP 方法:GET、HEAD、OPTIONS
- 转发Headers : 白名单
- Access-Control-Request-Headers
- Access-Control-Request-Method
- 来源
我收到的错误是
Access to Font at 'https://cdn.dabster.io/assets/fonts/fontawesome-webfont.ttf?v=4.7.0' from origin 'https://dabster.io' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://dabster.io' is therefore not allowed access.
您可以在 https://dabster.io and https://www.dabster.io
查看错误curl -I -s -X GET -H "Origin: dabster.io" https://cdn.dabster.io/assets/fonts/fontawesome-webfont.ttf\?v\=4.7.0
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 165548
Connection: keep-alive
Date: Sun, 07 May 2017 09:26:57 GMT
Access-Control-Allow-Origin: dabster.io
Access-Control-Allow-Methods: GET, HEAD
Access-Control-Max-Age: 3000
Access-Control-Allow-Credentials: true
Last-Modified: Fri, 05 May 2017 14:04:16 GMT
ETag: "b06871f281fee6b241d60582ae9369b9"
Accept-Ranges: bytes
Server: AmazonS3
Vary: Origin,Access-Control-Request-Headers,Access-Control-Request-Method
X-Cache: Miss from cloudfront
Via: 1.1 d674762e43fd40650eec6e201e4316a2.cloudfront.net (CloudFront)
X-Amz-Cf-Id: JYxW4fs2Ijgt_wEnl-DQ6Yqz_qPYbwaWZSZyRjrnKQ_yje__n3skkA==
我也在回复中收到 headers。 请阐明这一点
原始值必须包含协议部分——https:// 或 http://。所以你需要这样做:
<AllowedOrigin>https://dabster.io</AllowedOrigin>
您的 curl 测试成功的原因是您发送的 Origin header 没有协议部分。
但是浏览器会发送 Origin header 协议部分;例如,Origin: https://dabster.io.
因此,由于您当前已经配置了一些东西,如果您包含以下协议,您的 curl 测试也会失败:
curl -I -s -X GET -H "Origin: https://dabster.io" \
https://cdn.dabster.io/assets/fonts/fontawesome-webfont.ttf\?v\=4.7.0