在使用 Google Cloud 的工作站进行多服务开发时,由于生成了多个云工作站重定向,我遇到了 COR 问题。
当我尝试从客户端发出外部请求时: 示例:服务 2 到服务 1,或本地桌面到服务 1,我收到多个从未到达该服务的重定向。
测试场景:
注意:这些服务在生产环境中工作,现在可以在具有 COR 的不同子域中工作,它也可以在我的个人笔记本电脑上本地工作并支持 COR,但不能在云工作站上工作,因为重定向中不存在标头。
https://2143-${workstation}.cluster-${cluster}.cloudworkstations.dev/sessionToken
https://${port}-${workstation}.cluster-${cluster}.cloudworkstations.dev/${service_route}
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: https://ssh.cloud.google.com/devshell/gateway/oauth?state=${token}
Date: Tue, 09 May 2023 08:05:26 GMT
HTTP/2 302
content-type: application/binary
location: https://accounts.google.com/ServiceLogin?passive=1209600&osid=1&continue=https://ssh.cloud.google.com/devshell/gateway/oauth?state${state}
content-security-policy: ${policy}
cross-origin-opener-policy: same-origin-allow-popups
date: Tue, 09 May 2023 08:05:26 GMT
server: ESF
content-length: 0
x-xss-protection: 0
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
HTTP/2 302
set-cookie: ${cookie}
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Tue, 09 May 2023 08:05:27 GMT
location: https://accounts.google.com/InteractiveLogin?continue=https://ssh.cloud.google.com/devshell/gateway/oauth?state${state}
strict-transport-security: max-age=31536000; includeSubDomains
content-security-policy: ${policy}
content-security-policy: require-trusted-types-for 'script';report-uri /_/AccountsSigninPassiveLoginHttp/cspreport
content-security-policy: require-trusted-types-for 'script';report-uri /cspreport
accept-ch: ${ch}
cross-origin-opener-policy: unsafe-none
cross-origin-resource-policy: cross-origin
permissions-policy: ${policy}
content-type: application/binary
report-to: ${report}
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
server: GSE
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
HTTP/2 302
content-type: text/html; charset=UTF-8
set-cookie: ${cookie}
x-frame-options: DENY
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Tue, 09 May 2023 08:05:27 GMT
location: https://accounts.google.com/v3/signin/identifier?dsh=${dsh}&continue=${continue}
strict-transport-security: max-age=31536000; includeSubDomains
content-security-policy: ${policy}
content-security-policy: require-trusted-types-for 'script';report-uri /cspreport
cross-origin-opener-policy-report-only: same-origin; report-to="coop_gse_qebhlk"
report-to: ${report}
content-length: 1655
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
server: GSE
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
HTTP/2 200
content-type: text/html; charset=utf-8
x-frame-options: DENY
set-cookie: ${cookie}
x-auto-login: realm=com.google&args=continue%3Dhttps://ssh.cloud.google.com/devshell/gateway/oauth?state${state}
x-ua-compatible: IE=edge
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: Mon, 01 Jan 1990 00:00:00 GMT
date: Tue, 09 May 2023 08:05:27 GMT
strict-transport-security: max-age=31536000; includeSubDomains
content-security-policy: ${policy}
content-security-policy: require-trusted-types-for 'script';report-uri /v3/signin/_/AccountsSignInUi/cspreport
cross-origin-resource-policy: same-site
report-to: ${report}
permissions-policy: ${policy}
cross-origin-opener-policy-report-only: same-origin; report-to="AccountsSignInUi"
accept-ch: ${ch}
server: ESF
x-xss-protection: 0
x-content-type-options: nosniff
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
accept-ranges: none
vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-Encoding
https://accounts.google.com/v3/signin/identifier?${dsh}
原始请求从未到达我的 Google Cloud 工作站实例。
2023 年 5 月 21 日更新: 经过进一步调查,Google 正在设置一个 cookie,用于验证工作站请求。
顺序:
云工作站上的服务 2(Web 应用程序)。 Google 在服务 2 域上设置 HTTPOnly 安全 cookie。
名称:WorkstationJwt;值:编码JWT
服务2调用云工作站上的服务1(REST API)。
Google 代理捕获请求,在转发请求之前查找 WorkstationJwt cookie,如果 cookie 不存在,则对云工作站上的服务 1 (API) 的请求失败,并且永远不会收到原始请求。
感谢 GCP 支持,当 React 前端位于另一个不同的工作站上时,我能够在工作站上调用后端 API。
他们要求我执行的命令如下(替换占位符):
curl -X PATCH https://workstations.googleapis.com/v1alpha/projects/$PROJECT/locations/$LOCATION/workstationClusters/$CLUSTER/workstationConfigs/$CONFIG?update_mask=http_options.allowed_unauthenticated_cors_preflight_requests \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-d '{"http_options": {"allowed_unauthenticated_cors_preflight_requests": true}}'
希望这有帮助,我认为这是一个尚未记录的功能。