Nginx
CORS 防止 js window.onerror 從子域報告資訊
為了記錄 Javascript 錯誤,我設置了一個帶有 window.onerror 的函式,它觸發了一個 ajax 請求並通知我腳本錯誤。我從子域載入所有靜態文件,如果主域之外的文件發生錯誤,CORS 似乎會因為洩漏而刪除資訊… https://developer.mozilla.org/en-US/docs/ Web/API/GlobalEventHandlers/onerror#notes
我試圖通過像這樣設置 Access-Control-Allow-Origin 來解決這個問題:
add_header Access-Control-Allow-Origin https://static.example.com;
但沒有成功。
我的子域也帶有主域的 Access-Control-Allow-Origin。
文件標題:
Request URL: https://www.example.com/de/kontaktformular.html Request Method: GET Status Code: 200 Remote Address: XXX Referrer Policy: strict-origin-when-cross-origin access-control-allow-origin: https://static.example.com cache-control: no-store, no-cache, must-revalidate content-encoding: br content-security-policy: ... content-type: text/html; charset=UTF-8 date: Tue, 10 Aug 2021 10:21:35 GMT expect-ct: enforce,max-age=30 expires: Thu, 19 Nov 1981 08:52:00 GMT pragma: no-cache referrer-policy: same-origin server: nginx strict-transport-security: max-age=15768000; includeSubDomains vary: Accept-Encoding x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block :authority: www.example.com :method: GET :path: /de/kontaktformular.html :scheme: https accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding: gzip, deflate, br accept-language: de-IT,de;q=0.9,en-US;q=0.8,en;q=0.7,de-DE;q=0.6 cache-control: no-cache cookie: __Host-PHPSESSID=k2284o6ejliq4t9113bicbv5tr; cookie_alert=1; cart=MjMtLC03OC0sLTF8fDU1LSwtMTI3LSwtMXx8NTUtLC0xMjgtLC0x pragma: no-cache referer: https://www.example.com/de/XXX.html sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92" sec-ch-ua-mobile: ?0 sec-fetch-dest: document sec-fetch-mode: navigate sec-fetch-site: same-origin sec-fetch-user: ?1 upgrade-insecure-requests: 1 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
來自子域的 Js 文件的標頭:
Request URL: https://static.example.com/jquery_scripts.128.js Request Method: GET Status Code: 200 Remote Address: XXX Referrer Policy: same-origin access-control-allow-origin: https://www.example.com cache-control: public, max-age=31536000, s-maxage=31536000 content-encoding: gzip content-type: text/javascript;charset=UTF-8 date: Tue, 10 Aug 2021 10:21:35 GMT expires: Wed, 10 Aug 2022 10:21:35 GMT last-modified: Tue, 10 Aug 2021 09:38:16 GMT server: nginx strict-transport-security: max-age=15768000; includeSubDomains vary: Accept-Encoding x-content-type-options: nosniff :authority: static.example.com :method: GET :path: /jquery_scripts.128.js :scheme: https accept: */* accept-encoding: gzip, deflate, br accept-language: de-IT,de;q=0.9,en-US;q=0.8,en;q=0.7,de-DE;q=0.6 cache-control: no-cache pragma: no-cache sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92" sec-ch-ua-mobile: ?0 sec-fetch-dest: script sec-fetch-mode: no-cors sec-fetch-site: same-site user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
來自相同的文件:
如果伺服器發送的響應的
Access-Control-Allow-Origin
值是明確的來源(而不是“*”萬用字元),那麼響應還應該包含一個值為 Origin 的Vary響應標頭——以向瀏覽器表明伺服器響應可能會有所不同Origin 請求標頭的值。Access-Control-Allow-Origin: https://developer.mozilla.org Vary: Origin