英文:
CORS errors when using an Azure CDN with multiple origins
问题
我们已经在 Azure CDN Standard 端点上设置了自定义规则,根据请求的 Origin 来修改(覆盖)响应头。在定义的规则中,我们将 Access-Control-Allow-Origin 头的值设置为与请求的 Origin 相同的值,适用于下面提到的所有域名。
我们有多个站点从CDN URL获取数据:
- 主要内容传递环境
- 预览内容传递环境
当访问这些站点并在环境之间切换时,我们遇到了一些CORS错误。这些错误似乎都与 .woff 扩展字体文件有关。以下是一个示例错误:
访问来源于 'https://cdn.example.com/example.woff' 的字体已被 CORS 策略阻止:'Access-Control-Allow-Origin' 头的值 'https://sitename-preview.com' 与提供的来源不相等。
就好像已经从不同的URL访问了站点并已经从CDN请求了资源的情况下,CDN端点设置的规则不会被认可一样。
Microsoft已经承认在多个来源的情况下存在问题,详见:https://learn.microsoft.com/en-us/azure/cdn/cdn-cors,但提出的解决方案只适用于单一来源。如果我们为不同的规则添加多个来源,那么当浏览器首次缓存第一个CORS来源的 Access-Control-Allow-Origin 头时,仍然会出现问题。
除了将 Access-Control-Allow-Origin 头更改为 * 并将CDN放在WAF后面之外,是否有其他解决方法?我读到CORS规范在这里是一刀切的:https://stackoverflow.com/questions/14003332/access-control-allow-origin-wildcard-subdomains-ports-and-protocols,其中得票最高的答案表明它只支持 *、null 或完全协议 + 域名 + 端口。
英文:
We have set up custom rules on the Azure CDN Standard endpoint to modify (overwrite) the response header based on the Origin of the request. In the rules defined, we are setting the Access-Control-Allow-Origin header value to the same value as that of the Origin of the request for all of the domains of the below-mentioned sites.
We have multiple sites getting data served from the CDN URLs:
- A main content delivery environment
- A preview content delivery environment
We are seeing some CORS errors when accessing the sites and switching between the environments. These all seem to be related to .woff extension font files. This is an example error:
Access to font at 'https://cdn.example.com/example.woff' from origin 'https://sitename.com' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://sitename-preview.com' that is not equal to the supplied origin.
It is as if the rules set up for the CDN endpoint do not get acknowledged if you have already accessed a site from a different URL where you already requested assets from the CDN.
Microsoft has acknowledged that there is a problem in the multiple origin scenario here: https://learn.microsoft.com/en-us/azure/cdn/cdn-cors, but the proposed solution only caters to a single origin. If we add multiple origins to separate rules, then we still end up with the problem that occurs when the browser caches the Access-Control-Allow-Origin header for the first CORS origin.
Is there any workaround for this, other than to change the Access-Control-Allow-Origin header to * and put the CDN behind a WAF? I've read that the CORS spec is all or nothing here: https://stackoverflow.com/questions/14003332/access-control-allow-origin-wildcard-subdomains-ports-and-protocols, where the most upvoted answer states that it only supports *, null or the exact protocol + domain + port.
答案1
得分: 0
我们通过在Azure CDN端点缓存规则中为.woff扩展文件设置响应标头中的Cache-Control属性为'no-cache'来解决了这个问题。
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论