我遇到了以前从未经历过的奇怪的CORS问题。我向设置为access-control-allow-origin: *的端点发出GET请求。这是带有curl -v的输出:
[me:~]$ curl -v https://example.org/wp-json/jwr/v1/instagram
* Trying 123.123.123.123...
* TCP_NODELAY set
* Connected to example.org (123.123.123.123) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Nov 21 00:00:00 2019 GMT
* expire date: Oct 9 12:00:00 2020 GMT
* subjectAltName: host "example.org" matched cert's "example.org"
* issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f9cf5808200)
> GET /wp-json/jwr/v1/instagram HTTP/2
> Host: example.org
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Tue, 05 May 2020 21:41:48 GMT
< content-type: application/json; charset=UTF-8
< content-length: 10378
< set-cookie: __cfduid=d6e8c142300b62cb6b4fd207fe1912a7a1588714908; expires=Thu, 04-Jun-20 21:41:48 GMT; path=/; domain=.example.org; HttpOnly; SameSite=Lax; Secure
< x-powered-by: PHP/7.3.17
< x-robots-tag: noindex
< link: <https://example.org/wp-json/>; rel="https://api.w.org/"
< x-content-type-options: nosniff
< access-control-expose-headers: X-WP-Total, X-WP-TotalPages
< access-control-allow-headers: Authorization, Content-Type
< allow: GET
< access-control-allow-origin: *
< access-control-allow-methods: POST, GET, OPTIONS, DELETE
< access-control-allow-credentials: true
< access-control-expose-headers: Link
< etag: "129925-1588714700;;;"
< x-litespeed-cache: hit
< vary: User-Agent
< alt-svc: h3-27=":443"; ma=86400, h3-25=":443"; ma=86400, h3-24=":443"; ma=86400, h3-23=":443"; ma=86400
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 58eda0b43d6fd881-CPH
< cf-request-id: 028862c4a60000d88135a8f200000001
但是,在Chrome中,我收到错误消息:
Access to XMLHttpRequest at 'https://example.org/wp-json/jwr/v1/instagram' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
我曾尝试在Google Chrome浏览器中禁用CORS(已禁用网络安全性),然后它可以工作。我检查了响应标头,并且它们也存在allow-origin标头。
[我也尝试过将Chrome网路要求复制为CURL指令,并且执行得很好,在php端没有错误且设定了CORS标头。
我发现的一个奇怪的问题是,它仅在我登录后才会发生-尽管两个请求看起来非常相似。我正在使用Nuxt和https://github.com/nuxt-community/auth-module-但是,尽管调用非常相似(相同的API剩余端点),但所有调用都不会发生此问题]
问题是我有“ allow-origin:*”,并且在使用withCredentials:true时不允许这样做。所以我必须定义原点,然后它似乎起作用。