PHP脚本执行即使客户端出现了CORS错误
我在飘动的Web应用程序中遇到了一个奇怪的情况。我正在向PHP脚本提出请求,该脚本似乎给我带来了CORS错误,但似乎无论如何都会执行PHP代码...
当我提出请求时,Flutter Web应用程序会引发异常
XMLHttpRequest error
,而Chrome Developer工具网络选项卡显示cors error在status列的列中。
但是,尽管如此,似乎该脚本实际上是执行的,并将数据插入数据库。
PHP脚本是否可以执行,同时仍会在客户端上给CORS错误?
I have run into a strange situation in a Flutter Web application. I am making a request to a PHP script which appears to give me a CORS error, but it seems that the PHP code gets executed anyway...
When I make the request, the Flutter Web app throws an exception
XMLHttpRequest error
and the Chrome developer tools network tab shows CORS error in the status column for the request.
But despite this, it seems like the script is actually executed and inserting data into the database.
Is it possible that a PHP script can execute while still giving a CORS error on the client?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您需要在执行代码之前先检查脚本中的HTTP方法:
浏览器向服务器提出选项请求以检查CORS,该请求将执行您的脚本,如果CORS Check Pass通过选项调用,另一个用于通话
You need to check the http method in your script before executing your code :
The browser make a OPTIONS request to the server to check cors, which will execute your script, and if the cors check pass, your script will be called twice, one for the OPTIONS call, and another for the GET call
因此,这是我对正在发生的事情的理解。
Web应用程序向服务器提出了GET请求。
由于该应用程序正在浏览器中运行,因此浏览器处理应用程序的请求。
2.1。浏览器将
Origin标题添加到请求中,并将值设置为当前域,Web应用程序正在运行。2.2浏览器将请求发送到服务器。
服务器接收请求并将其继承到PHP脚本。
PHP脚本可以决定
4.1 a)检查
onect> onect请求标头,并设置access-control-allow-origin-origin响应标头,其中包括或不包括<<<代码> Origin 域,或4.1 b)只需正常执行即可在不检查
onect> onect请求标头或设置access-control-allow-allow-origin响应标头。<<<<<<<<<<<<<<<<< /p>4.2由PHP脚本决定是否决定或不执行,并且不返回任何数据。
PHP脚本已完成执行,Web服务器将响应发送回客户端。
浏览器检查
access-control-allow-Origin标题它从PHP脚本中返回。6.1 a)如果它包含
onecor域(或是通配符 *),则浏览器将响应的内容回到应用程序中。6.1 b)否则,浏览器会执行“相同的来源原理”,并将“ CORS错误”发送回Web应用程序。
因此,我认为我最初的混乱是,如果未设置CORS标题,服务器将根本不会执行请求。但是,实际发生的事情只是一切正常执行时,PHP脚本将一些数据插入数据库并发送响应,但是当浏览器检测到响应不包含允许
onecon 域要读取响应,它不允许应用程序查看响应(即使浏览器已经收到了它,并且可能包含一个完全正常的JSON/HTML/WHITHER)。其他答案讨论了前飞行前
选项请求,在这种情况下似乎根本不会发生。 “ nofollow noreferrer”> mozilla cors cors“不要触发CORS前飞行。So here is my understanding of what's happening.
The web app makes a GET request to the server.
Since the app is running in a browser, the browser handles the request for the app.
2.1. The browser adds an
Originheader to the request, with the value set to the current domain the web app is running on.2.2 The browser sends the request to the server.
The server receives the request and relays it to the PHP script.
The PHP script can decide wether to
4.1 a) inspect the
Originrequest header and set anAccess-Control-Allow-Originresponse header that includes or excludes theOrigindomain, or4.1 b) just execute normally without checking the
Originrequest header or setting theAccess-Control-Allow-Originresponse header.4.2 It's up to the PHP script do decide wether or not to execute, and wether or not to return any data.
The PHP script has finished executing and the web server sends the response back to the client.
The browser inspects the
Access-Control-Allow-Originheader it got back from the PHP script.6.1 a) If it includes the
Origindomain (or is a wildcard *), the browser relays back the contents of the response back to the app.6.1 b) Otherwise, the browser enforces the "same origin principle" and sends a "CORS error" back to the web app.
So I think my initial confusion was that the server wouldn't execute the request at all if the CORS headers weren't set. But what's actually happening is just that everything executes normally, the PHP script inserts some data into the database and sends a response, but when the browser detects that the response doesn't contain a CORS header that allows the
Origindomain to read the response, it doesn't let the app see the response (even though the browser has already received it and it might contain a perfectly normal JSON/HTML/whatever).The other answers talk about preflight
OPTIONSrequests, which do not seem to take place at all in this case. The Mozilla CORS documentation explains that "simple requests" don't trigger a CORS preflight.