301重定向被CORS阻塞,尽管我允许它在Express和Nginx中
我尝试使用Express JS Front进行登录页面
: http://example.com
api: http://api.example.com
at http://example.com/login ,有登录表单。 我将ID和密码发送到API服务器,并带有以下代码:
const url = 'http://api.example.com/login';
fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(data),
}).then((response) => {
console.log(response.redirected);
if (response.redirected) {
response.redirect(response.url);
}
}).catch((err) => {
console.log(err);
});
at http://api.example.com/login ,我发送了以下代码的重定向响应:
// **** //
app.use(cors()); // I allowed cors aleardy, and checked it worked by fetching json data from other origin.
// **** //
app.post('/login', function(req, res) {
const query = 'select id, password' +
' from user' +
" where id = '" + req.body.id + "'";
db.query(query, (err, result) => {
if (!!result) {
if (result.length === 0) {
res.send("no_id");
} else {
if (req.body.pw === result[0].password) {
res.redirect(301, 'http://example.com'); // if success to login, let browser go to main page from login page.
}
else {
console.log("wrong password");
res.send("worng_pw");
}
}
}
else {
console.log(err);
}
});
});
和主页,
location / {
... (alias setting. it isn't reason of this cors error)
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
try_files $uri $uri/ $uri/index.html $uri.html =404;
}
然后,当我尝试登录时,我从Chorme收到了此消息。访问'http://example.com'(从'http://api.example.com/login'重定向),从origin'http://www.example.com'已被阻止CORS策略:在请求的资源上没有“访问控制”标头。如果不透明的响应满足您的需求,请将请求模式设置为“无仪表”,以通过禁用CORS来获取资源。,
由于NGINX的CORS设置用于选项方法,我成功地推出了Prefflight请求。 但是主要请求总是失败。
获取JSON总是成功的,但是“只有301重定向”因CORS错误而失败。 我搜索了一个星期,但无法解决问题。
我该如何解决这个问题?
I tried to make a login page with express js
Front : http://example.com
API : http://api.example.com
At http://example.com/login, there is login form.
I send id and password to API server with following code:
const url = 'http://api.example.com/login';
fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(data),
}).then((response) => {
console.log(response.redirected);
if (response.redirected) {
response.redirect(response.url);
}
}).catch((err) => {
console.log(err);
});
At http://api.example.com/login, I sent redirect response with following code:
// **** //
app.use(cors()); // I allowed cors aleardy, and checked it worked by fetching json data from other origin.
// **** //
app.post('/login', function(req, res) {
const query = 'select id, password' +
' from user' +
" where id = '" + req.body.id + "'";
db.query(query, (err, result) => {
if (!!result) {
if (result.length === 0) {
res.send("no_id");
} else {
if (req.body.pw === result[0].password) {
res.redirect(301, 'http://example.com'); // if success to login, let browser go to main page from login page.
}
else {
console.log("wrong password");
res.send("worng_pw");
}
}
}
else {
console.log(err);
}
});
});
and the main page, http://example.com/, is running on nginx.
so I allowed cors in nginx conf file. like this:
location / {
... (alias setting. it isn't reason of this cors error)
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
add_header 'Access-Control-Allow-Origin' "$http_origin" always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
try_files $uri $uri/ $uri/index.html $uri.html =404;
}
and then, when I tried to login I got this message from chorme.Access to fetch at 'http://example.com' (redirected from 'http://api.example.com/login') from origin 'http://www.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Thanks to the nginx's cors setting for option method, I successed preflight request.
but main request always failed.
Fetching json always success, but 'only 301 redirect' failed by cors error.
I googled for a week, but I could't solve the problem.
How can I solve this problem?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论