javascript Chrome Websockets CORS 政策
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/22644392/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Chrome Websockets CORS policy
提问by Josh Wilson
I'm having trouble opening a websocket in Chrome. It seems that there is some CORS policy in chrome for websockets.
我在 Chrome 中打开 websocket 时遇到问题。似乎在 chrome 中有一些用于 websockets 的 CORS 策略。
If I am on www.example.com and attempt to open the websocket at api.example.com it'll say pending on the console network tab, and will fire the onerror with a message WebSocket connection to 'wss://api.example.com' failed: Connection closed before receiving a handshake response. If I look at the server I do not see a request for a web socket connection being made, so there is no options request to respond to, or Ability to set an Access-Control-Allow-Origin header.
However if I first make a request to api.example.com which on the browser will redirect me back to www.example.com it'll work fine.
如果我在 www.example.com 上并尝试在 api.example.com 上打开 websocket,它会在控制台网络选项卡上说待处理,并且会用消息触发 onerror WebSocket connection to 'wss://api.example.com' failed: Connection closed before receiving a handshake response。如果我查看服务器,我没有看到正在发出 Web 套接字连接的请求,因此没有选项请求可以响应,也没有设置 Access-Control-Allow-Origin 标头的能力。但是,如果我首先向 api.example.com 发出请求,该请求在浏览器上会将我重定向回 www.example.com,它会正常工作。
Are you required to use the same origin for websocket requests in chrome?
您是否需要对 chrome 中的 websocket 请求使用相同的来源?
Note: this issue is only with chrome.
注意:此问题仅适用于 chrome。
采纳答案by Josh Wilson
I came across this issue again. I still haven't figured out why, but making an OPTIONS(or any other) request to the subdomain first allows the connection to be opened.
我又遇到了这个问题。我仍然没有弄清楚原因,但是OPTIONS首先向子域发出(或任何其他)请求允许打开连接。
This only seems to be a problem with wss connections, and has popped up across multiple domains and certificates.
这似乎只是 wss 连接的问题,并且已经在多个域和证书中出现。
回答by oberstet
There is no browser enforced CORS with WebSocket. Here are 2 things that can go wrong (assuming you use both HTTPS and WSS):
WebSocket 没有浏览器强制执行 CORS。这里有两件事可能会出错(假设您同时使用 HTTPS 和 WSS):
- the serverenforces an
Origin. TheOriginHTTP header is set by the browser to the origin of the HTML page containing the JavaScript that is opening the WebSocket connection. A server MAY check that header and deny. But since you say other browsers are working (which?), this is unlikely - since you are using
wss, the server certificate MUST be completely valid, and acceptable to the browser without any user interaction. Is this the case?
- 该服务器强制执行的
Origin。所述OriginHTTP标头是由浏览器到包含被打开WebSocket连接JavaScript的HTML页面的原点设置。服务器可以检查该标头并拒绝。但既然你说其他浏览器正在工作(哪个?),这不太可能 - 由于您使用的是
wss,服务器证书必须完全有效,并且无需任何用户交互即可被浏览器接受。是这种情况吗?
回答by mhgbrown
This sounds like it has to do with making cross-origin requests that are not "simple". HTTP requests that are not simple are "preflighted" by the browser (Chrome at least) with "OPTIONS" automatically. I'm guessing the browser is just enforcing this behavior.
这听起来似乎与发出不“简单”的跨域请求有关。浏览器(至少是 Chrome)使用“OPTIONS”自动“预检”了不简单的 HTTP 请求。我猜浏览器只是在强制执行这种行为。
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Simple_requestshttps://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Simple_requests https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests
回答by webinista
Try setting an Access-Control-Allow-Originheader on api.example.com that allows www.example.com.
尝试Access-Control-Allow-Origin在 api.example.com 上设置一个允许 www.example.com的标题。
![javascript SyntaxError:无法在“文档”上执行“querySelector”:“[object HTMLDocument]”不是有效的选择器](/res/img/loading.gif)