Safari在302重定向后失败CORS请求
我对Safari处理CORS请求的方式有问题。请考虑以下情形:
I have problem with the way Safari handles CORS requests. Consider following scenario:
- DomainA托管向DomainB发出XHR请求的页面(源标头设置为DomainA)
- DomainB返回302 redirect do DomainC(origin header设置为null,这似乎与RFC一致)
- DomainC返回200响应实际内容
这适用于Chrome,FF,但在Safari上失败(在Mozilla / 5.0(Macintosh; Intel Mac OS X 10_10_5)AppleWebKit / 600.8上测试。 9(KHTML,like Gecko)Version / 8.0.8 Safari / 600.8.9)。
This works in Chrome, FF, but it fails on Safari (tested on Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9).
当我打开xhr.withCredentials的请求时,一个OPTIONS预检请求优先实际请求到DomainC,其中IMHO不是必需的,因为所有请求都是简单请求,但我可以处理。问题是Safari在预检请求到DomainC后说无法使任何请求从null失败。
我可以通过将Access-Control-Allow-Origin设置为*并丢弃Access-Control-Allow-Credentials头(这些是互斥的)来绕过这一点,这将使这个场景工作。但是我仍然认为这是不正确的行为。
When I make the request without xhr.withCredentials turned on, first, Safari makes a OPTIONS preflight request prior actual request to DomainC, which IMHO is not nessesary as all request are simple request, but that I can handle. Problem is Safari fails after preflight request to DomainC saying "Cannot make any request from null". I can bypass this by setting Access-Control-Allow-Origin to * and drop Access-Control-Allow-Credentials header (those are mutually exclusive), which would make this scenario work. However I still think this is not correct behavior.
现在,事情是我需要凭据传递(和不,我不能通过它一些其他的方式,因为它取决于一些第三方服务器)。因此,我们将
Now, thing is I need credentials to be passed by (and no, I can not pass it some other way as it depends on some third party servers). So, let's set
xhr.withCredentials
xhr.withCredentials
设置为true,我们回到无法提出任何请求null,现在甚至通配符Access-Control-Allow-Credentials没有帮助。
to true and we are back to "Cannot make any request from null" and now even wildcarding Access-Control-Allow-Credentials does not help.
我认为所有CORS标题设置正确,但请随时检查。可在此处找到测试示例: http://a.ihatesafari.com
I think all CORS headers are set properly, but please feel free to check me. Test example can be found here: http://a.ihatesafari.com
这里发生了什么?
感谢您的回答
我也遇到这个问题,并从2012年发现这个错误似乎在描述它。运行在FF / Chrome / Safari中的错误中引用的测试代码仅在Safari中导致失败。
I was experiencing this issue as well and found this bug from 2012 that appears to be describing it. Running the test code referenced in the bug in FF / Chrome / Safari yielded failures only in Safari. It appears that the bug has not been patched.
最后,为了解决这个问题,我修改了我们的HTTP API来添加一个可选的查询参数来触发一个不同的响应,返回一个200 OK带有包含客户端要跟随的URL的JSON主体。不幸的是,如果你是别人的HTTP API的消费者,这将无济于事。
Ultimately to get around this, I modified our HTTP API to add an optional query parameter to trigger a different response that returned a 200 OK with a JSON body containing the url that the client was to follow. Unfortunately if you're a consumer of someone else's HTTP API this won't help much.