为啥删除响应在 webdav 服务器中没有 cors 标头?
Posted
技术标签:
【中文标题】为啥删除响应在 webdav 服务器中没有 cors 标头?【英文标题】:Why did the delete response have no cors header in the webdav server?为什么删除响应在 webdav 服务器中没有 cors 标头? 【发布时间】:2015-02-26 05:47:40 【问题描述】:我想实现关于webdav的CORS。
我的机器有一个 webdav 服务器,ip addr 是 192.168.7.88。我用 127.0.0.1 的 ip 测试 CORS。
我的网络服务器配置 (httpd-dav.conf):
DavLockDB "/opt/apache/var/DavLock"
Alias /webdav "/webdav"
<Location /webdav>
DAV On
Header set Access-Control-Allow-Origin "http://127.0.0.1"
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Methods "COPY, DELETE, GET, HEAD, MKCOL, OPTIONS, POST, PROPFIND, PUT"
Header set Access-Control-Allow-Headers "Overwrite, Destination, Content-Type, Depth, Range, Content-Range, Cache-Control"
Header set Access-Control-Expose-Headers "DAV, content-length, Allow"
Header set Access-Control-Max-Age "36000"
AuthType Basic
AuthName "webdav"
<Limit COPY, DELETE, GET, HEAD, LOCK, MKCALENDAR, MKCOL, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, PUT, REPORT, SEARCH, UNCHECKOUT, UNLOCK>
Order allow,deny
Allow from all
# IP address you allow
Require valid-user
</Limit>
</Location>
#
# The following directives disable redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with several clients that do not appropriately handle
# redirects for folders with DAV methods.
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[01234]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
BrowserMatch " Konqueror/4" redirect-carefully
请求标头 - 选项:
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language zh-cn,en-us;q=0.7,en;q=0.3
Access-Control-Request-Me... DELETE
Connection keep-alive
Host 192.168.7.88
Origin http://127.0.0.1
User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0 Firephp/0.7.4
x-insight activate
响应标头 - OPTIONS (STATUS = 200 OK):
Access-Control-Allow-Cred... true
Access-Control-Allow-Head... Overwrite, Destination, Content-Type, Depth, Range, Content-Range, Cache-Control
Access-Control-Allow-Meth... COPY, DELETE, GET, HEAD, MKCOL, OPTIONS, POST, PROPFIND, PUT
Access-Control-Allow-Orig... http://127.0.0.1
Access-Control-Expose-Hea... DAV, content-length, Allow
Access-Control-Max-Age 36000
Access-Control-Request-He... Origin, Content-Type
Allow OPTIONS,GET,HEAD,POST,DELETE,TRACE,PROPFIND,PROPPATCH,COPY,MOVE,PUT,LOCK,UNLOCK
Connection Keep-Alive
Content-Length 0
Content-Type text/plain
DAV 1,2, <http://apache.org/dav/propset/fs/1>
Date Tue, 30 Dec 2014 03:25:53 GMT
Keep-Alive timeout=5, max=99
MS-Author-Via DAV
Server Apache/2.4.10 (Unix) PHP/5.5.15
请求标头 - 删除:
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language zh-cn,en-us;q=0.7,en;q=0.3
Connection keep-alive
Host 192.168.7.88
Origin http://127.0.0.1
Referer http://127.0.0.1/webdavtest
User-Agent Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:34.0) Gecko/20100101 Firefox/34.0 FirePHP/0.7.4
x-insight activate
响应标头 - 删除:(状态 = 204 无内容)
Connection Keep-Alive
Content-Length 0
Content-Type text/plain
Date Tue, 30 Dec 2014 01:26:31 GMT
Keep-Alive timeout=5, max=98
Server Apache/2.4.10 (Unix) PHP/5.5.15
但是火狐说:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://192.168.7.88/webdav/b.txt.
This can be fixed by moving the resource to the same domain or enabling CORS.
我知道删除响应没有 cors 标头,所以 firefox 说了这些。
为什么删除响应没有 cors 标头?
【问题讨论】:
【参考方案1】:这是实现 the RFC 2616 的 Apache 的一个已知限制。
这或多或少与in this question 描述的问题相同。
【讨论】:
以上是关于为啥删除响应在 webdav 服务器中没有 cors 标头?的主要内容,如果未能解决你的问题,请参考以下文章
为啥 CORS 错误“对预检请求的响应未通过访问控制检查”?