php CORS 预检请求返回“403 Forbidden”;后续请求然后只在 Chrome 中发送
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16151096/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
CORS preflight request returning "403 Forbidden"; subsequent request then only sending in Chrome
提问by dunc
After failure using pluploader in this question, I'm now trying FineUploader.
在这个问题中使用 pluploader 失败后,我现在正在尝试FineUploader。
After reading up on CORS, I've implemented various headers on my IIS6 server.
在阅读了 CORS 之后,我在 IIS6 服务器上实现了各种标头。
What seems to happen is that my script fires the first (preflight) authorisation request, which fails, but Chrome allows the second (standard) request to send anyway - Firefox does not. I presume this is actually a bug on behalf of Chrome, but at least it has allowed me to work out that my script is probablyworking correctly.
似乎发生的是我的脚本触发了第一个 ( preflight) 授权请求,但失败了,但 Chrome 允许standard发送第二个 ( ) 请求 - Firefox 没有。我认为这实际上是代表 Chrome 的一个错误,但至少它使我能够确定我的脚本可能正常工作。
Here is the first (preflight) request as seen in Chrome and FF:
这是在 Chrome 和 FF 中看到的第一个(预检)请求:
OPTIONS /frog/LOTS/upload/php.php HTTP/1.1
Host: staff.curriculum.local
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Origin: http://frogserver.curriculum.local
Access-Control-Request-Method: POST
Access-Control-Request-Headers: cache-control,x-requested-with
Pragma: no-cache
Cache-Control: no-cache
The Access-Control...headers are those that I've added to IIS.
Access-Control...标头是我添加到 IIS的标头。
And here are my response headers:
这是我的响应标头:
HTTP/1.1 403 Forbidden
Content-Length: 1758
Content-Type: text/html
Server: Microsoft-IIS/6.0
x-powered-by: ASP.NET
Access-Control-Allow-Origin: http://frogserver.curriculum.local
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Cache-Control
Access-Control-Allow-Methods: OPTIONS, GET, POST
Access-Control-Expose-Headers: Origin, X-Requested-With
Date: Mon, 22 Apr 2013 15:19:20 GMT
I've tried to compare the two side by side but I can't find any missing headers which would cause the preflightrequest to return a 403 Forbiddenerror.
我试图并排比较两者,但找不到任何会导致preflight请求返回403 Forbidden错误的丢失标头。
I haven't included my PHP source as it's a lot of code. Suffice to say that it does work in Chrome and that the file is correctly uploaded, so the script shouldbe correct. The only thing which may be worth mentioning is that I've got a header("Content-Type: text/plain");at the start of my script. Changing that to text/htmlmakes no difference to Chrome nor FireFox.
我没有包含我的 PHP 源代码,因为它有很多代码。可以说它确实在 Chrome 中工作并且文件已正确上传,因此脚本应该是正确的。唯一值得一提的是header("Content-Type: text/plain");我的脚本开头有一个。将其更改为text/html对 Chrome 或 FireFox 没有任何影响。
The JavaScript is quite straightforward:
JavaScript 非常简单:
$('#jquery-wrapped-fine-uploader').fineUploader({
request: {
endpoint: 'http://staff.curriculum.local/frog/LOTS/upload/php.php'
},
cors: {
expected: true, //all requests are expected to be cross-domain requests
sendCredentials: true //if you want cookies to be sent along with the request
}
});
Can anyone help? I've spent literally 8 hours on this single problem today and I'm >< close to ripping my own face off....!!
任何人都可以帮忙吗?今天我已经在这个单一问题上花了 8 个小时,而且我 >< 几乎要撕掉我自己的脸......!!
Thanks in advance,
提前致谢,
采纳答案by dunc
It's taken me a week, but I've finally found the problem.
我花了一周的时间,但我终于找到了问题所在。
By default, IIS6 does not support the OPTIONS verb on .php files(or .asp(x) for that matter).
默认情况下,IIS6 不支持 .php 文件(或 .asp(x))上的 OPTIONS 动词。
As such, it wasn't recognising the OPTIONSpreflight call at all.
因此,它根本无法识别OPTIONS预检呼叫。
To change this value in IIS6, follow these steps:
要在 IIS6 中更改此值,请执行以下步骤:
- In the IIS Manager, go to your root web site directory. Right-click it and select "Properties"
- Go to the Home Directory tab, then select the "Configuration" button at the bottom
- Find the relevant file extension of the script you're trying to communicate with, such as .php or .asp and click "edit"
- Add
OPTIONSto the list of available verbs (should now display something likeREQUEST, GET, POST, OPTIONS) - Add the code below to your PHP script to determine responses from IE
- 在 IIS 管理器中,转到您的网站根目录。右键单击它并选择“属性”
- 转到主目录选项卡,然后选择底部的“配置”按钮
- 找到您尝试与之通信的脚本的相关文件扩展名,例如 .php 或 .asp,然后单击“编辑”
- 添加
OPTIONS到可用动词列表中(现在应该显示类似REQUEST, GET, POST, OPTIONS) - 将下面的代码添加到您的 PHP 脚本中以确定来自 IE 的响应
I couldn't get Internet Explorer working without the following code in my PHP script:
如果我的 PHP 脚本中没有以下代码,我将无法让 Internet Explorer 工作:
/* Is the request from Internet Explorer? */
if( !isset( $_SERVER['HTTP_X_REQUESTED_WITH'] )
|| ( isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] != "XMLHttpRequest" ) ) {
/* If so, we need to send a UUID and iframe XSS response script... */
header("Content-Type: text/html");
/* This needs some extra security, for sure */
if( $result["success"] == "true" )
$result["uuid"] = $_POST["qquuid"];
echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);
echo "<script src='iframe.xss.response-3.4.1.js'></script>";
} else {
/* Otherwise, we can just echo the json'd result */
echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);
}
I've given Ray Nicholus the 50 point bounty as although I didn't find his manner particularly helpful, he was right all along. However, for purposes of others viewing this post with a similar issue, I'll mark my answer as correct.
我给了 Ray Nicholus 50 分的赏金,虽然我觉得他的态度不是特别有帮助,但他一直都是对的。但是,为了其他人以类似的问题查看这篇文章,我会将我的答案标记为正确。
回答by Ray Nicholus
As mentioned in my comments, this appears to be an issue with your server. For some reason, it is rejecting the initial OPTIONS request. You will need to look at your server logs to see why your server is responding to this request with a 403.
正如我在评论中提到的,这似乎是您的服务器的问题。出于某种原因,它拒绝了最初的 OPTIONS 请求。您需要查看您的服务器日志,以了解您的服务器为何以 403 响应此请求。
The user agent sends this initial OPTIONS (pre-flight) request. Fine Uploader does not send this request directly, the user agent sends it to be in compliance with the CORS spec. If you have specific questions about CORS, you can see my blog poston how Fine Uploader handles CORS, or/and you can read this excellent MDN article on CORS.
用户代理发送这个初始 OPTIONS(飞行前)请求。Fine Uploader 不直接发送此请求,用户代理发送它以符合CORS 规范。如果您有关于 CORS 的具体问题,您可以查看我关于 Fine Uploader 如何处理 CORS 的博客文章,或者/并且您可以阅读这篇关于 CORS 的优秀 MDN 文章。
