Firefox和Chrome给我CORS错误,即使OPTIONS响应包含Access-Control-Allow-Origin
。
我很好奇我需要做什么才能通过OPTIONS飞行前胸衣检查?
以下是从两个浏览器复制的请求和响应。
% ## FIREFOX
% curl -i 'http://localhost:5000/sql/change_document_contents?id=1' -X OPTIONS -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Access-Control-Request-Method: POST' -H 'Access-Control-Request-Headers: content-type' -H 'Referer: http://localhost:3000/' -H 'Origin: http://localhost:3000' -H 'Connection: keep-alive'
<ol-Request-Headers: content-type' -H 'Referer: http://localhost:3000/' -H 'Origin: http://localhost:3000' -H 'Connection: keep-alive'
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 0
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, OPTIONS
Server: Werkzeug/1.0.1 Python/3.9.5
Date: Sat, 29 May 2021 06:08:59 GMT
%
% ## CHROME
% curl 'http://localhost:5000/sql/change_document_contents?id=1'
-i
-X 'OPTIONS'
-H 'Connection: keep-alive'
-H 'Accept: */*'
-H 'Access-Control-Request-Method: POST'
-H 'Access-Control-Request-Headers: content-type'
-H 'Origin: http://localhost:3000'
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36'
-H 'Sec-Fetch-Mode: cors'
-H 'Sec-Fetch-Site: same-site'
-H 'Sec-Fetch-Dest: empty'
-H 'Referer: http://localhost:3000/'
-H 'Accept-Language: en-US,en;q=0.9'
--compressed
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 0
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, OPTIONS
Server: Werkzeug/1.0.1 Python/3.9.5
Date: Sat, 29 May 2021 06:12:11 GMT
正如您所看到的,标头在那里,但CORS错误仍然出现。Firefox在飞行前请求中给出错误CORS Missing Allow标头,在实际POST请求中给出NS_error_DOM_BAD_URI。而Chrome说";跨源资源共享错误:HeaderDisabledByPreflightResponse;
响应缺少Access-Control-Allow-Headers
标头。事后看来,Chrome的错误消息指向了这一点。
要修复此问题,请将Access-Control-Allow-Headers: Content-Type
添加到响应中。