我知道这个话题已经讨论过,但我无法弄清楚这个问题。
流量:
2-服务器响应标头
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://localhost
Content-Length: 757
Content-Security-Policy: img-src 'self' data: blob:;default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: application/json; charset=utf-8
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Date: Fri, 05 Apr 2024 22:55:12 GMT
Etag: W/"2f5-cF2DgIYE70TbTgbAxYrSxvRZvYU"
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Server: nginx
Set-Cookie: TOKEN=CONTENT; Path=/; Expires=Sat, 06 Apr 2024 22:55:11 GMT; HttpOnly; Secure; SameSite=None
Strict-Transport-Security: max-age=15552000; includeSubDomains
Strict-Transport-Security: max-age=31536000
Vary: Origin
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Xss-Protection: 0
3-客户请求
:Authority: remote.server.dns.com
:Method: GET
:Path: /api/route
:Scheme: https
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Access-Control-Allow-Origin: https://remote.server.dns.com:443
Content-Type: application/json;charset=UTF-8
Origin: https://localhost
Referer: https://localhost/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Linux; Android 14; sdk_gphone64_x86_64 Build/UE1A.230829.036.A1; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/113.0.5672.136 Mobile Safari/537.36
X-Requested-With: com.dns.sub
因此服务器拒绝 (3),因为路由
api/route
是安全的并且需要 cookie...
帮忙?
注意:我不是在询问 cookie 持久性,也不是在询问客户端 cookie 定义;)
我尝试过的:
Access-Control-Allow-Credentials
Access-Control-Allow-Origin
解决方案: 该问题与 cordova/android 无关。 这个问题是我没有用 credential = true 标记我的 XHR 请求以允许跨域发送 cookie/授权。
对于
fetch(...)
,请使用credentials:"include"
,例如:
fetch(url, {
method: "POST",
headers,
credentials: "include",
body: new Blob([JSON.stringify(params)], { type: "application/json" }),
})
对于
XMLHttpRequest
,请使用withCredentials = true
,例如:
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
...
xhr.send();