Fiber CORS中间件返回空的Access-Control-Allow-Origin头部值。

huangapple go评论104阅读模式
英文:

Fiber CORS Middleware returning null Access-Control-Allow-Origin Header Value

问题

我正在使用Go Fibre Web框架及其配套的CORS中间件组件来实现我的RESTful API。我按照官方文档中的说明配置了CORS,但是奇怪的是,当我使用cURL或Postman调用API时,响应中的"Access-Control-Allow-Origin"头部存在,但其值为"null",因此似乎接受了来自任何主机的请求。

以下是我按照当前文档设置的代码(你可以在这里找到文档):

// 实例化服务器并存储到本地
apiServer := fiber.New()

// 为特定的端点设置CORS
apiServer.Use("/api/v1/authentications/manage/login", cors.New(cors.Config{
    AllowOrigins:     "http://[my-domain].com",
    AllowCredentials: true,
}))

目前没有明显的错误,我能够成功编译应用程序。然而,当部署生成的应用程序并使用cURL向端点发出请求并转储响应头时,我看到以下内容:

HTTP/1.1 401 Unauthorized
< Date: Mon, 07 Jun 2021 11:28:31 GMT
< Content-Type: application/json
< Content-Length: 130
< Connection: keep-alive
< Vary: Origin
< Access-Control-Allow-Origin: 
< Access-Control-Allow-Credentials: true

请注意:由于这是一个身份验证端点,并且我在请求中省略了身份验证凭据,因此返回了预期的401响应。然而,即使提供了正确的凭据,任何调用该端点的客户端都会收到200 OK的响应。现在,我当然可以手动添加所需的响应头,但我真的更愿意使用CORS中间件,因为它比手动方法更简洁。

英文:

I'm using the Go Fibre Web Framework and its complementary CORS Middleware component to implement my RESTful API. I configure CORS as specified in the official documentation however, rather oddly, when I then go on to call the API from cURL or Postman the: "Access-Control-Allow-Origin" Header is present in response but its value is: null and thus requests from any host appear to be being accepted.

Here is my setup as per the current documentation (which you may find here):

//instantiate sever and store to local
apiServer = fiber.New()

//Setup CORS for a specific endpoint.
apiServer.Use(&quot;/api/v1/authentications/manage/login&quot;, cors.New(cors.Config{
	AllowOrigins:     &quot;http://[my-domain].com&quot;,
	AllowCredentials: true,
}))

Now there are no immediate or obvious errors and I'm able to successfully compile the application. However, when the resulting application is deployed and I use cURL to make a request to the endpoint and dump the resulting response headers I see the following:

HTTP/1.1 401 Unauthorized
&lt; Date: Mon, 07 Jun 2021 11:28:31 GMT
&lt; Content-Type: application/json
&lt; Content-Length: 130
&lt; Connection: keep-alive
&lt; Vary: Origin
&lt; Access-Control-Allow-Origin: 
&lt; Access-Control-Allow-Credentials: true

Please note: the 401 Response is being returned as expected since (as per above) this is an Authentication endpoint and I omitted authentication credentials from the request. However, even when the correct credentials ARE provided a 200 OK Response is returned to any client that calls the endpoint. Now I could, of course, manually append the requisite headers to the response myself, but I really would rather utilise the CORS Middleware as it much cleaner than the manual approach.

答案1

得分: 1

“Access-Control-Allow-Origin”头部在响应中存在,但其值为null,因此似乎接受来自任何主机的请求。

这不是它的工作方式。头部“Access-Control-Allow-Origin”应该包含发出请求的特定客户端的来源,或者通配符“*”,以便被浏览器接受。如果来源头部不满足您允许的来源,响应头部将是一个空字符串,您可以在源代码中看到(https://github.com/gofiber/fiber/blob/master/middleware/cors/cors.go#L112)。

英文:

> "Access-Control-Allow-Origin" Header is present in response but its value is: null and thus requests from any host appear to be being accepted.

That is not how it works. The header Access-Control-Allow-Origin should either contain the origin for the specific client making the request, or the wildcard *, in order to be accepted by the browser. If the origin header does not satisfy the origins you allowed, the response header will be an empty string as you can see in the source code.

huangapple
  • 本文由 发表于 2021年6月7日 20:09:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/67871370.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定