问题
We have a multi-tenant web application hosted on IIS with two headers (SiteA and SiteB). The application uses Autodesk Forge Viewer on the client side. Everything was working fine until last week which this started happening: when browsing the application with url "http://www.siteA.com" it works fine. now if we browse same application using url "http://www.siteB.com" in another tab the viewer does not load and we have two errors in the debug:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://developer.api.autodesk.com/viewingservice/v1/viewers/6.2.3/lmvworker.min.js. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘http://www.siteA.com’).
and
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://developer.api.autodesk.com/viewingservice/v1/viewers/6.2.3/res/locales/en/allstrings.json. (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘http://www.siteA.com’).
as the error suggests although the Origin in the Request header of the call is "http://www.siteB.com" the returning "Access-Control-Allow-Origin" in the response header is "http://www.siteA.com" !
now if someone else (or using another browser) we do the same but other way (first site B then A) we have site B working fine but site A giving the error with wrong response header.
Has anyone ever had such problem? is this a CDN cache issue with any possible Autodesk Forge CDN servers updated? Any help to guide me in the right direction will be appreciated.
Thanks
回答1:
I am experiencing the exact same behaviour. In our case it are 2 different sites with 2 complete different domains.
We are using these url's for loading script and CSS
https://developer.api.autodesk.com/modelderivative/v2/viewers/7.*/viewer3D.min.js https://developer.api.autodesk.com/modelderivative/v2/viewers/7.*/style.min.css
I have tested it in the latest Chrome / Firefox and in both browsers I get the error.
What I did:
- Visit site A => Everything works fine
- Visit site B => Not working
- Reset cache on site B => Everythings works
- Visit site A => Not working
So the first site which loads the scripts from the CDN is the 'Winner' and that site works as expected.
I've tested it also by visiting: https://sample-collection.s3.amazonaws.com/advanced.html
After that I opened my development website and got this error:
Access to XMLHttpRequest at 'https://developer.api.autodesk.com/modelderivative/v2/viewers/7.*/lmvworker.min.js' from origin 'https://dev-bdh-project-sharing-management.bdh.nl' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://sample-collection.s3.amazonaws.com' that is not equal to the supplied origin.
回答2:
As is suggested in the comments above - always use the below CDN URL to load Viewer:
https://developer.api.autodesk.com/modelderivative/v2/viewers/style.min.css?v=v7.*
The other address is not recommended per our officially documentation.
来源:https://stackoverflow.com/questions/62162175/cors-header-access-control-allow-origin-does-not-match-incorrect-access-co