我在 apache 中设置了以下内容
RequestHeader edit "If-None-Match" '^"((.*)-(gzip|br))"$' '"$1", "$2"'
SetEnvIf Origin "^http(s)?:\/\/(.+\.)?(iac-dev-ci\.shared\.sp\.domain\.com|bsi\.domain\.com)$" AccessControlAllowOrigin=$0
Header always set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header always set Access-Control-Allow-Credentials: true env=AccessControlAllowOrigin
Header always set Access-Control-Allow-Methods: "GET, POST, OPTIONS" env=AccessControlAllowOrigin
Header always set Access-Control-Allow-Headers: "Authorization" env=AccessControlAllowOrigin
<Directory /var/SP/httpd/${INSTANCE}/${INSTANCE}.domain.com/docs>
<LimitExcept GET POST HEAD>
Require all denied
</LimitExcept>
Options FollowSymLinks
AllowOverride None
Require all granted
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
Header set X-Frame-Options "sameorigin"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
在 Edge 和 Chrome 上似乎运行良好,但 Firefox 会抛出 CORS 错误
铬合金
Request Headers view parsed
1. GET /iwsapi/user/verify/flow/src/O1.DVZ/dst/IA.DVZ/proto/tcp/ports/80 HTTP/1.1 Host: prodsupp.domain.com Connection: keep-alive sec-ch-ua: Google Chrome 78 Accept: */* Origin: https://iac-dev-ci.shared.sp.domain.com Authorization: Basic VkZHUk9VUFNWQy1JYUM6VGIzN2lhTm81NnNnOWVocA== Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Referer: https://iac-dev-ci.shared.sp.domain.com/apex/f?p=137:1500:16957915227558::YES:1500:P1500_SQL_SOURCE,P1500_VALIDATE,P1500_KEY,P1500_CLUSTER_KEY,P1500_PARENT_TABLE:002,true,22080,14021,EEnvironment&cs=1ffDglEmwMtTaOl7cBFckgUgziyk&p_dialog_cs=7Vzw99OYcu5rN3I64L2PcfLLaiY Accept-Encoding: gzip, deflate, br Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
响应标头视图已解析
HTTP/1.1 200 OK Date: Wed, 04 Dec 2019 12:23:26 GMT Server: Apache Strict-Transport-Security: max-age=31536000; includeSubDomains http-equiv: X-UA-Compatible; content=IE=edge Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache x-pagination-count: 0 x-pagination-limit: 10 x-pagination-offset: 0 Access-Control-Allow-Origin: https://iac-dev-ci.shared.sp.domain.com Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: Authorization Vary: Accept-Encoding Content-Encoding: gzip Cache-Control: max-age=43200, no-cache, must-revalidate Content-Length: 586 Content-Type: application/json; charset=utf-8 Set-Cookie: PHPSESSID=4df5da639da6c7ab7c066c514c6554db; expires=Thu, 05-Dec-2019 12:23:27 GMT; Max-Age=86400; path=/; secure; HttpOnly Set-Cookie: PHPSESSID=4df5da639da6c7ab7c066c514c6554db; path=/; secure X-Robots-Tag: noindex Keep-Alive: timeout=60, max=99 Connection: Keep-Alive
火狐
Host: prodsupp.domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Referer: https://iac-dev-ci.shared.sp.domain.com/apex/f?p=137:1500:15629545468068::YES:1500:P1500_SQL_SOURCE,P1500_VALIDATE,P1500_KEY,P1500_CLUSTER_KEY,P1500_PARENT_TABLE:002,true,22080,14021,EEnvironment&cs=1ffDglEmwMtTaOl7cBFckgUgziyk&p_dialog_cs=77oHMBbYtD5h7GlcyJfmpgljuMQ
Origin: https://iac-dev-ci.shared.sp.domain.com
Connection: keep-alive
回复
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://prodsupp.domain.com/iwsapi/user/verify/flow/src/O1.DVZ/dst/IA.DVZ/proto/tcp/ports/80. (Reason: CORS request did not succeed)