plupload runtimes returning 403 FORBIDDEN error when trying to access upload.php

问题

Introduction

I'm trying to achieve something relatively simple, in a potentially complicated environment. I would like to upload files, from a JavaScript widget (Netvibes UWA format) to a local intranet server, using the plupload jQuery UI plugin.

Problem

I've set my code up seemingly correctly - the plupload container appears and I can happily select and upload files. The uploading seems to work - each file hits 100% - but when I check my Firebug console, I get the following error:

OPTIONS upload.php - 403 Forbidden

And the files does not upload to my specified files directory.

Environment

• Origin server is frogserver.curriculum.local on internal IP 192.168.3.15
• Recipient server is staff.curriculum.local on internal IP 192.168.3.60
• Origin server is linux, but I have no direct access to HTML/JS/PHP/SQL, everything has to be done via the aforementioned Netvibes Universal Widget API. It's an enclosed Virtual Learning Environment solution provided by www.frogtrade.com
• Recipient server is Windows/IIS

Code

JavaScript

widget.onLoad = function(){
    $( "#datetime" ).datepicker({ dateFormat: "yy-mm-dd" });
    Input.init();

    /* plupload */
    $("#uploader").plupload({
        // General settings
        runtimes : 'html5,flash,html4',
        url : 'http://staff.curriculum.local/frog/LOTS/upload.php',
        max_file_size : '1000mb',
        max_file_count: 20, // user can add no more then 20 files at a time
        chunk_size : '1mb',
        rename: true,
        multiple_queues : true,

        // Resize images on clientside if we can
        resize : {width : 320, height : 240, quality : 90},

        // Rename files by clicking on their titles
        rename: true,

        // Sort files
        sortable: true,

        // Specify what files to browse for
        filters : [
            {title : "Image files", extensions : "jpg,gif,png"},
            {title : "Zip files", extensions : "zip,avi"}
        ],

        // Flash settings
        flash_swf_url : '/user/74/186718.swf'
    });

    // Client side form validation
    $('form').submit(function(e) {
        var uploader = $('#uploader').plupload('getUploader');

        // Files in queue upload them first
        if (uploader.files.length > 0) {
            // When all files are uploaded submit form
            uploader.bind('StateChanged', function() {
                if (uploader.files.length === (uploader.total.uploaded + uploader.total.failed)) {
                    $('form')[0].submit();
                }
            });

            uploader.start();
        } else
            alert('You must at least upload one file.');

        return false;
    });
}

HTML

<form  method="post" action="../dump.php">
    <div id="uploader">
        <p>Your browser doesn't have Flash, Silverlight, Gears, BrowserPlus or HTML5 support.</p>
    </div>
</form>

PHP

The PHP script I'm using is the bundled upload.php file handling script, with the addition of this code at the top:

// * - stands for all domains
header("Access-Control-Allow-Origin: *");

I've also changed the upload directory target:

// Settings
//$targetDir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";
$targetDir = 'files';

Thoughts

• I'm not sure if this is classed as being a "cross-domain" file transfer or not? I've tried to set it up as if it is, hence the Access-Control-Allow-Origin header in my PHP script
• The Netvibes UWA and VLE setup may be getting in the way, somehow
• The IIS permissions on the LOTS folder for the Internet Guest account appears to be correct (i.e. "Read" permissions) but I'm not entirely sure; it has "Deny" on "Special Permissions" and I can't seem to see what those permissions are, or change that

Edit: IIS Permissions

Just checked, and everything seems correct:

回答1:

[Edit] CORS

As permissions seems alright, that might be a CORS problem.

I stumbled upon monsur's answer on this question : Is it possible to use XMLHttpRequest across Domains , quoting :

A CORs request actually consists of two physical HTTP requests: 1) The preflight request, and 2) the actual request. The request you posted above looks like the preflight request, since it is uses the HTTP OPTIONS method. So the first thing you have to do is verify that your server accepts OPTIONS requests (I believe this should just work, but it may explain why you are receiving a 403).

Permissions

According to this doc :

Create a separate folder for your uploaded content and change the NTFS file permissions on the upload folder

By doing this, you can configure the behavior of uploaded content differently from the rest of your Web application. Grant the upload folder Read and Write permissions for the IIS worker process identity. For IIS 6.0 in Windows Server 2003, you can use the IIS_WPG user group for this. For IIS 7.0 and later, you can use the IIS_IUSRS user group.

You might be checking permissions for the wrong user (IUSR_ASHVOIP), try IIS_WPG (seems to be this one for you) or IIS_IUSRS depending on your configuration.

来源：https://stackoverflow.com/questions/16144879/plupload-runtimes-returning-403-forbidden-error-when-trying-to-access-upload-php