[英]Cross-domain cookies in preflight requests
Two components:两个组件:
On login Apigee sets a jwt
cookie using the Set-Cookie
header:登录时,Apigee 使用
Set-Cookie
header 设置jwt
cookie:
Set-Cookie: jwt={jwtoken};secure;httponly;path=/;samesite=none
On client side Chrome shows me this cookie for the frame https://react.mycompany.com
:在客户端 Chrome 向我显示了框架
https://react.mycompany.com
的 cookie:
name: jwt
value: XXX
domain: apigee.proxy.com
path: /
httpOnly: true
secure: true
sameSite: none
Now on non-auth requests Apigee checks the presence of the jwt
cookie before processing the request.现在,对于非身份验证请求,Apigee 在处理请求之前会检查
jwt
cookie 的存在。
The cookie is not sent on the OPTIONS
preflight request and therefore all calls fail. cookie 不会在
OPTIONS
预检请求中发送,因此所有调用都会失败。
On client side we use the fetch()
API with credentials: 'include'
.在客户端,我们使用
fetch()
API 和credentials: 'include'
。
What am I missing here?我在这里想念什么?
Browsers don't ever send cookies in preflight OPTIONS
requests.浏览器永远不会在预检
OPTIONS
请求中发送 cookies 。 So what the question describes is expected behavior.所以问题描述的是预期的行为。 And the reason browsers don't send cookies in the preflight is because the spec for the CORS protocol requires browsers to exclude cookies and all other standard credentials (eg, the Authorization header) from the preflight.
浏览器不在预检中发送 cookies 的原因是因为 CORS 协议的规范要求浏览器从预检中排除 cookies 和所有其他标准标头凭据(例如,授权标头)。 See https://fetch.spec.whatwg.org/#ref-for-credentials%E2%91%A5 , which states:
请参阅https://fetch.spec.whatwg.org/#ref-for-credentials%E2%91%A5 ,其中指出:
a CORS-preflight request never includes credentials
CORS 预检请求从不包含凭据
…and see also the answer a https://stackoverflow.com/a/50959576/441757 . …另见答案https://stackoverflow.com/a/50959576/441757 。
So the server the preflight is sent to must be configured to allow unauthenticated OPTIONS
requests — and must respond to OPTIONS
requests with a 200 OK even if a request doesn't include any cookies or other credentials.因此,预检发送到的服务器必须配置为允许未经身份验证的
OPTIONS
请求 - 并且必须以 200 OK 响应OPTIONS
请求,即使请求不包含任何 cookies 或其他凭据。 That's a fundamental requirement of the CORS protocol.这是 CORS 协议的基本要求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.