express - JSON 有效负载中的 URL 导致 CORS 问题
问题描述
我有一个用于应用程序的带有 React 前端的 GraphQL 后端。CORS 策略设置为仅允许前端https://my.server:443
访问后端https://my.server:4444
,并且它工作得很好......大部分时间。
我的 Express.js 服务器启动如下:
server.start(
{
cors: {
credentials: true,
origin: [ "https://my.server" ]
},
},
(deets) => {
console.log(`Server is now running on port http://localhost:${deets.port}`);
}
);
当我使用包含 URL 的有效负载向 API 发出 POST 请求时,我收到 CORS 错误。这是对话:
选项请求:
OPTIONS / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Referer: https://my.server/qualifications
Origin: https://my.server
Connection: keep-alive
TE: Trailers
回复:
HTTP/2 204 No Content
date: Thu, 15 Oct 2020 12:16:25 GMT
x-powered-by: Express
access-control-allow-origin: https://my.server
vary: Origin, Access-Control-Request-Headers
access-control-allow-credentials: true
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-headers: content-type
X-Firefox-Spdy: h2
发布请求:
POST / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 616
Origin: https://my.server
Referer: https://my.server/qualifications
Connection: keep-alive
Cookie: token=eyJhbGc<removed-jwt>gmWVO_I68
TE: Trailers
有效载荷:
{
"operationName": "UPDATE_QUALIFICATION_MUTATION",
"variables": {
"id": "ckf54v5lm0dck07821octvj4b",
"name": "MBA",
"description": "Testing Links",
"link": "http://www.google.com" <---- URL in payload
},
"query": "mutation UPDATE_QUALIFICATION_MUTATION($id: ID!, $name: String, $link: String, $description: String, $company: CompanyUpdateOneInput) {\n updateQualification(where: {id: $id}, data: {name: $name, link: $link, description: $description, company: $company}) {\n id\n name\n description\n link\n company {\n id\n name\n __typename\n }\n __typename\n }\n}\n"
}
回复:
HTTP/2 403 Forbidden
server: awselb/2.0
date: Thu, 15 Oct 2020 12:16:25 GMT
content-type: text/html
content-length: 118
X-Firefox-Spdy: h2
OKAY...让我们在没有 URL 的情况下再试一次...
让我感到困惑的是,当我做同样的事情时,除了包含 URL 的一个字段 - 我得到这个:
选项请求:
OPTIONS / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Referer: https://my.server/qualifications
Origin: https://my.server
Connection: keep-alive
TE: Trailers
回复:
HTTP/2 204 No Content
date: Thu, 15 Oct 2020 13:07:41 GMT
x-powered-by: Express
access-control-allow-origin: https://my.server
vary: Origin, Access-Control-Request-Headers
access-control-allow-credentials: true
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-headers: content-type
X-Firefox-Spdy: h2
发布请求:
POST / HTTP/2
Host: my.server:4444
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 560
Origin: https://my.server
Referer: https://my.server/qualifications
Connection: keep-alive
Cookie: token=eyJhbG<removed-jwt>WVO_I68
TE: Trailers
带有效载荷:
{
"operationName": "UPDATE_QUALIFICATION_MUTATION",
"variables": {
"id": "ckf54v5lm0dck07821octvj4b",
"name": "MBA",
"description": "Testing Links",
"link": "not-a-url" <---- THIS CHANGED
},
"query": "mutation UPDATE_QUALIFICATION_MUTATION($id: ID!, $name: String, $link: String, $description: String, $company: CompanyUpdateOneInput) {\n updateQualification(where: {id: $id}, data: {name: $name, link: $link, description: $description, company: $company}) {\n id\n name\n description\n link\n company {\n id\n name\n __typename\n }\n __typename\n }\n}\n"
}
回复:
HTTP/2 200 OK
date: Thu, 15 Oct 2020 13:07:41 GMT
content-type: application/json
content-length: 173
x-powered-by: Express
access-control-allow-origin: https://my.server
vary: Origin
access-control-allow-credentials: true
X-Firefox-Spdy: h2
现在它工作正常??我留下的问题比其他任何事情都多:
- 请求的 JSON 有效负载如何影响 CORS?
- 我的 Express 服务器 CORS 配置中是否缺少某些内容?
- 在有效负载中发送 URL 是否存在某种一般性问题?
- 如果是这样,是否有建议的解决方法?(我只是要在前端对其进行 base64 编码/解码,但必须这样做似乎是“错误的”!)
任何指针将不胜感激!
解决方案
我们今天偶然发现了一个类似的问题。
事实证明,在我们的案例中,它是由拒绝请求的 WAF 配置引起的。我们在分析 WAF 采样和负载均衡器日志后发现了这一点。
祝你好运!
推荐阅读
- ios - popViewController 抛出“在键值观察者仍在注册时释放”错误
- python-3.x - 多线程 PyOpenCV 显示
- javascript - 如何解决开始时间为上午 10:55 和结束时间为晚上 10:00 的问题?
- javascript - nodejs中如何根据key和salt进行加密?
- nginx - NGINX 的重定向规则
- c++ - 不带参数的可变模板函数
- android - 如何让 Firebase 用户在谷歌登录功能之外颤抖?
- sql - 3706 语法错误:预期介于整数和 ')' 之间
- azure - Azure 成本管理 - 如何将 ResourceGuid 与 ResourceId 匹配
- asp.net - 在 Azure Active Directory 的所有网站集中权限中找不到读写项目和列表