Chrome/Edge 在 Firefox 工作时不发送预检选项请求跨源

问题描述 投票:0回答:1

我将标头中的 

Authorization
令牌发送到同源服务器和跨源服务器。我已将服务器设置为响应具有以下标头的 
OPTIONS
请求:

HTTP/1.1 204 No Content
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://10.26.97.22:10251 (this is dynamically set to the origin of the request)
Vary: Origin
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: authorization
Access-Control-Max-Age: 86400
Connection: keep-alive

Firefox 上的请求有效(上面显示的是 Firefox 的响应标头。)并且触发预检请求的 

POST
请求没有问题。

但是,Chrome 和 Edge 都无法正常工作且未报告错误。刚刚失败的请求说 

net::ERR_RESPONSE_HEADERS_TRUNCATED

以下是在 Firefox 上实际执行的 

POST
请求的成功响应:

HTTP/1.1 200 OK
Connection: keep-alive
Date: Tue, 07 Nov 2023 00:05:49 GMT
Content-type: application/json
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://10.26.97.22:10251 (again, this is dynamically set)
Vary: Origin
Strict-Transport-Security: max-age=31536000
Referrer-Policy: no-referrer
Content-Security-Policy: default-src 'none'; font-src 'self' data:; script-src 'self'; connect-src *; img-src 'self'; style-src 'self';base-uri 'self';form-action 'self';
Cache-Control: no-cache

我尝试清除缓存,以隐身模式打开网站,以及在禁用网络安全的情况下启动 Chrome。仅当禁用网络安全时才有效。

我比较了常规 Chrome 和 Firefox 之间的预检请求标头,如下所示:

常规镀铬:

Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Access-Control-Request-Headers: authorization
Access-Control-Request-Method: POST
Connection: keep-alive
Host: 10.26.97.30:10261
Origin: https://10.26.97.22:10251
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36

火狐浏览器:

OPTIONS /homepage HTTP/1.1
Host: 10.26.97.30:10261
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization
Origin: https://10.26.97.22:10251
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache
google-chrome firefox https http-headers preflight
1个回答
0
投票

事实证明,这可能是因为我没有正确终止标头而发生的。即使我已经指出 

OPTIONS
响应没有内容 (
HTTP/1.1 204 No Content
),它仍然需要额外的空行来终止标头部分。看起来 Firefox 比基于 Chromimum 的浏览器更宽容一些。在最后一个标题打印输出后添加一个空行解决了问题。

来源:https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.