我在header中发送Authorization token到同源和跨源服务器。我已经设置了服务器,以响应具有以下header的OPTIONS请求:
HTTP/1.1 204 No Content
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://10.26.97.22:10251 (this is dynamically set to the origin of the request)
Vary: Origin
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: authorization
Access-Control-Max-Age: 86400
Connection: keep-alive字符串
Firefox上的请求可以正常工作(上面显示的是Firefox的响应头),触发preflight请求的POST请求也没有问题。
然而,无论是Chrome还是Edge都没有报告错误。只是失败的请求说net::ERR_RESPONSE_HEADERS_TRUNCATED。
下面是对Firefox上实际通过的POST请求的成功响应:
HTTP/1.1 200 OK
Connection: keep-alive
Date: Tue, 07 Nov 2023 00:05:49 GMT
Content-type: application/json
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://10.26.97.22:10251 (again, this is dynamically set)
Vary: Origin
Strict-Transport-Security: max-age=31536000
Referrer-Policy: no-referrer
Content-Security-Policy: default-src 'none'; font-src 'self' data:; script-src 'self'; connect-src *; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self';
Cache-Control: no-cache型
我试过清除缓存,以隐身模式打开网站,以及在禁用网络安全的情况下启动Chrome。只有在禁用网络安全时才有效。
我比较了常规Chrome和Firefox之间的preflight requst header,如下所示:
普通Chrome:
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Access-Control-Request-Headers: authorization
Access-Control-Request-Method: POST
Connection: keep-alive
Host: 10.26.97.30:10261
Origin: https://10.26.97.22:10251
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36型
火狐浏览器:
OPTIONS /homepage HTTP/1.1
Host: 10.26.97.30:10261
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization
Origin: https://10.26.97.22:10251
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache型
1条答案
按热度按时间xfyts7mz1#
事实证明,这可能是因为我没有正确地终止标题。即使我已经指出
OPTIONS响应没有内容(HTTP/1.1 204 No Content),它仍然需要额外的空行来终止标题部分。看起来Firefox比基于Chromium的浏览器更宽容一点。在最后一个标题之后添加一个空行解决了这个问题。来源:https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages