CORS post with preflight request

前端 未结 4 1269
小鲜肉
小鲜肉 2021-02-06 10:12

I\'m trying to upload files to a service on a different domain using CORS, but they keep failing due to the origin being denied. As far as I can see the correct headers are bein

相关标签:
4条回答
  • 2021-02-06 10:44

    The subdomains are different. As far as CORS is concerned the subdomain, protocol and port have to be identical in the Origin and the Access-Control-Allow-Origin.

    In your example it looks like the origin is: https://www.example.com and the Access-Control-Allow-Origin is: https://files.example.com

    0 讨论(0)
  • 2021-02-06 10:47

    Try adding Cache-Control and Pragma to the list of allowed headers in the preflight. The full header should look like this:

    Access-Control-Allow-Headers: Cache-Control, Pragma, Origin, Authorization, Content-Type
    
    0 讨论(0)
  • 2021-02-06 10:54

    It's little late, but looking at your info it shows the pre-flight CORS check works OK, it's just the actual (2nd) CORS request where the response gets blocked by the browser.

    It's a pity you didn't include the response for the actual (2nd) CORS request because that might have contained the clue for the response rejection. My suspicion is that although the pre-flight response correctly contains the header:

    Access-Control-Allow-Origin:*
    

    ... your actual (2nd) response might not have contained that header, in which case the browser correctly rejects the response. If my assumption is true, the solution would be to just include this header also in the actual (non pre-flight) response.

    0 讨论(0)
  • 2021-02-06 11:00

    Unfortunately, POSTing to a domain other than your page's elicits CORS. That also includes different subdomains, ports and protocol (http/https).

    Preflight is done when the request is "not simple", meaning, a content-type header set to something other than "text/plain". Your "application/json" makes browsers get scared into preflighting.

    If those 50-200 ms are important to you, then you can rewrite your web service to understand the "simple" content type. If not, then you should make your web service throw back HTTP status 204 (no content) when it is tasked with OPTIONS (http method).

    When dealing with a wcf:

    WebOperationContext.Current.OutgoingResponse.StatusCode = System.Net.HttpStatusCode.NoContent;
    
    0 讨论(0)
提交回复
热议问题