CORS request is preflighted, but it seems like it should not be

前端 未结 2 981
自闭症患者
自闭症患者 2020-12-01 16:42

The following cross-origin POST request, with a content-type of multipart/form-data and only simple headers is preflighted. According to the W3C spec, unless I am reading i

相关标签:
2条回答
  • 2020-12-01 17:07

    My guess is that the "boundary" on the Content-Type header is causing issues. If you are able to reproduce this, it should be filed as a browser bug, since the spec states that the Content-Type header check should exclude parameters.

    0 讨论(0)
  • 2020-12-01 17:10

    I ended up checking out the Webkit source code in an attempt to figure this out (after Google did not yield any helpful hits). It turns out that Webkit will force any cross-origin request to be preflighted simply if you register an onprogress event handler. I'm not entirely sure, even after reading the code comments, why this logic was applied.

    In XMLHttpRequest.cpp:

    void XMLHttpRequest::createRequest(ExceptionCode& ec)
    {
        ...
    
        options.preflightPolicy = uploadEvents ? ForcePreflight : ConsiderPreflight;
    
        ...
    
        // The presence of upload event listeners forces us to use preflighting because POSTing to an URL that does not
        // permit cross origin requests should look exactly like POSTing to an URL that does not respond at all.
        // Also, only async requests support upload progress events.
        bool uploadEvents = false;
        if (m_async) {
            m_progressEventThrottle.dispatchEvent(XMLHttpRequestProgressEvent::create(eventNames().loadstartEvent));
            if (m_requestEntityBody && m_upload) {
                uploadEvents = m_upload->hasEventListeners();
                m_upload->dispatchEvent(XMLHttpRequestProgressEvent::create(eventNames().loadstartEvent));
            }
        }
    
        ...
    }
    


    UPDATE: Firefox applies the same logic as Webkit, it appears. Here is the relevant code from nsXMLHttpRequest.cpp:

    nsresult
    nsXMLHttpRequest::CheckChannelForCrossSiteRequest(nsIChannel* aChannel)
    {
        ...
    
        // Check if we need to do a preflight request.
        nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aChannel);
        NS_ENSURE_TRUE(httpChannel, NS_ERROR_DOM_BAD_URI);
    
        nsAutoCString method;
        httpChannel->GetRequestMethod(method);
        if (!mCORSUnsafeHeaders.IsEmpty() ||
            (mUpload && mUpload->HasListeners()) ||
            (!method.LowerCaseEqualsLiteral("get") &&
             !method.LowerCaseEqualsLiteral("post") &&
             !method.LowerCaseEqualsLiteral("head"))) {
          mState |= XML_HTTP_REQUEST_NEED_AC_PREFLIGHT;
        }
    
        ...
    }
    

    Notice the mUpload && mUpload->HasListeners() portion of the conditional.

    Seems like Webkit and Firefox (and possibly others) have inserted some logic into their preflight-determination code that is not sanctioned by the W3C spec. If I'm missing something in the spec, please comment.

    0 讨论(0)
提交回复
热议问题