[英]How can I stop sending a preflight request on a redirect?
I discovered that six years ago, the previous developer commented out this line of code (Ruby, Rails): 我发现六年前,之前的开发人员注释掉了这行代码(Ruby,Rails):
#protect_from_forgery
I replaced it with the default: 我用默认值替换它:
protect_from_forgery with: :exception
and now I mysteriously get the following error when I try to add items to my cart while logged out: 当我在注销时尝试将项目添加到我的购物车时,我现在神秘地得到以下错误:
Access to XMLHttpRequest at 'https://id.foo-staging.com/openid/checklogin?return_to=http%3A%2F%2Flocalhost.foo-staging.com%3A3000%2Fcart%2Fitems' (redirected from 'http://localhost.foo-staging.com:3000/cart/items') from origin 'http://localhost.foo-staging.com:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
I've pinned down that this is happening because of the following lines: 我已经确定这是因为以下几行:
def get_user_identity_from_open_id_server
redirect_to "#{OPEN_ID_PROVIDER_URL}/openid/checklogin?return_to=#{Rack::Utils.escape(request.url)}"
end
def open_id_authentication
#stuff
get_user_identity_from_open_id_server
end
before_filter :open_id_authentication
I understand what causes a preflight request, at a very high level, thanks to the documentation. 由于文档的原因,我了解导致预检请求的原因很高。 But I don't think I'm doing any of those things. 但我不认为我正在做任何这些事情。
* the request method is anything other than GET, HEAD, or POST
* you’ve set custom request headers other than Accept, Accept-Language, Content-Language, Content-Type, DPR, Downlink, Save-Data, Viewport-Width, or Width
* the Content-Type request header has a value other than application/x-www-form-urlencoded, multipart/form-data, or text/plain
So my initial question is how do I determine what is triggering the preflight request, and then maybe I can figure out how to prevent it from happening. 所以我最初的问题是如何确定触发预检请求的内容,然后我可以弄清楚如何防止它发生。 Is this a situation that I can change on my end, or does something need to change on id.foo-staging.com (which I don't have access to, but could probably ask the right person to fix it for me). 这是我可以改变的情况,还是需要在id.foo-staging.com上更改某些内容(我无法访问,但可能会请求合适的人为我修复)。
I've been Googling all day, and nothing seems to make any sense to me, especially because I can't pin down precisely what's wrong. 我一整天都在谷歌搜索,似乎没有什么对我有任何意义,特别是因为我无法确切地说明错误。
I can solve the issue with this code: 我可以用这段代码解决问题:
skip_before_filter :open_id_authentication, :only => [:create], :if => :current_user and :anonymous_cart
But I have to assume that this is unsafe, from a security standpoint? 但从安全的角度来看,我必须假设这是不安全的?
ETA: This is what I see on the Network
tab for this request: ETA:这是我在Network
标签上看到的此请求:
General: 一般:
Request URL: https://id.foo-staging.com/openid/checklogin?return_to=http%3A%2F%2Flocalhost.foo-staging.com%3A3000%2Fcart%2Fitems Referrer Policy: no-referrer-when-downgrade
Request Headers: 请求标题:
Provisional headers are shown Access-Control-Request-Headers: x-requested-with Access-Control-Request-Method: GET Origin: http://localhost.foo-staging.com:3000 Referer: http://localhost.foo-staging.com:3000/p/Product0/1?id=1&slug=Product0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Query String Parameters: 查询字符串参数:
return_to: http://localhost.foo-staging.com:3000/cart/items
I presume the problem is the x-requested-with
request header. 我认为问题是x-requested-with
请求标头。 But I don't know how to resolve this. 但我不知道如何解决这个问题。
EATA: 吃一个:
Many JavaScript frameworks such as JQuery will automatically send this header along with any AJAX requests. This header cannot be sent cross-domain:
I guess my only option is to figure out how to rewrite this without AJAX? 我想我唯一的选择是弄清楚如何在没有AJAX的情况下重写它?
To avoid the preflight request you have to remove x-requested-with header but the error that you have is because the response location in the preflight call is different from the Origin. 要避免预检请求,您必须删除x-requested-with标头,但是您遇到的错误是因为预检调用中的响应位置与Origin不同。 To fix the problem, update your code to use the new URL as reported by the redirect, thereby avoiding the redirect. 要解决此问题,请更新代码以使用重定向报告的新URL,从而避免重定向。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.