[英]Cross-Origin request blocked while Access-Control-Allow-Origin:* still reflect in the response
我发现一个端点似乎容易受到 CORS 配置错误的影响,我尝试了这个 POC:
<html>
<body>
<div id="poc">
<button type="button" onclick="cors()"></button>
</div>
<script>
function cors() {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("poc").innerHTML = alert(this.responseText);
}
};
xhttp.open("GET", "https://somedomain.com/vulnerable/endpoint", true);
xhttp.withCredentials = true;
xhttp.send();
}
</script>
这些标头反映在响应中:
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
如果用户未经身份验证,则默认返回 401
为什么我的请求被阻止?
如果您从本地主机发送此信息,则客户端正在运行 http。但它正在请求 https 服务器。这就是它显示错误的原因。但是,您可以在 chrome 中禁用 CORS 检查。 https://alfilatov.com/posts/run-chrome-without-cors/
跨域请求被阻止:CORS header 'Access-Control-Allow-Origin' 缺失
[英]Cross-Origin Request Blocked: CORS header ‘Access-Control-Allow-Origin’ missing
跨域请求被阻止:(原因:缺少CORS标头“ Access-Control-Allow-Origin”)
[英]Cross-Origin Request Blocked: (Reason: CORS header 'Access-Control-Allow-Origin' missing)
跨域请求被阻止(原因:CORS header 'Access-Control-Allow-Origin' 与 'http://localhost:3000/' 不匹配)
[英]Cross-Origin Request Blocked (Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘http://localhost:3000/’)
调用Web服务时遇到跨域“访问控制允许域”问题
[英]Facing Cross-Origin 'Access-Control-Allow-Origin' issue while calling webservice
CORS – 跨域请求被阻止 – 'Access-Control-Allow-Origin' 标头包含无效值
[英]CORS – Cross Origin Request Blocked – The 'Access-Control-Allow-Origin' header contains invalid value
Salesforce响应中的跨源问题(Access-Control-Allow-Origin)
[英]Cross origin issue in salesforce response(Access-Control-Allow-Origin)
交叉请求时出错:“ Access-Control-Allow-Origin不允许原产”?
[英]Error on cross request: “Origin is not allowed by Access-Control-Allow-Origin”?
ajax发布请求-跨域读取阻止(CORB)阻止了跨源响应CORS
[英]ajax post request - cross-Origin Read Blocking (CORB) blocked cross-origin response CORS
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.