Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
845 views
in Technique[技术] by (71.8m points)

jquery - Security error using CORS in IE10 with Node and Express

I'm constructing a Backbone application hosted on http://example.com which utilizes an API hosted on https://api.example.com. For the API, I'm using Node.js with the Express.js framework. My CORS solution seems to work in every major browser except IE (it even fails in IE10).

When a request is initiated from IE10, the request never hits the API server. As far as I can tell, the request is not even being sent. When I inspect the request using IE10's developer tools, both the request headers and response headers are blank. When a request is sent from any other browser, the request is received and a response is properly generated.

This is the error I see in the console:

SCRIPT 7002: XMLHttpRequest: Network Error 0x4c7, The operation was canceled by the user.

The request uses jQuery:

$.ajax({
  url: apiRoot + "/endpoint",
  success: function(response) {
    // Omitted irrelevant code
  }
});

According to this article, CORS is disabled in IE by default and must be enabled:

Internet Explorer ignores Access-Control-Allow headers and by default prohibits cross-origin access for Internet Zone. To enable CORS go to Tools->Internet Options->Security tab, click on “Custom Level” button. Find the Miscellaneous -> Access data sources across domains setting and select “Enable” option.

Sure enough, when I enable this setting, the request goes through and everything works as it should. However, I've read that this setting is not actually related to CORS and shouldn't affect it. When using this tool to test for CORS compatibility, IE10 passes regardless of whether this setting is enabled or disabled, which leads me to believe CORS is enabled and I'm just doing something wrong.

Also, everything seems to work as it should when I run Fiddler, since Fiddler is acting as a proxy.

For reference, here's the CORS-related code on the server side:

res.header("Access-Control-Allow-Origin", "example.com");
res.header("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");
res.header("Access-Control-Allow-Headers", "Content-Type, Authorization, X-File-Name, X-File-Size, X-File-Type");
res.header("Access-Control-Allow-Credentials", true);
if (req.method == "OPTIONS") {
 res.send(200);
}
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Try sending the request to the API server using HTTP instead of HTTPS. The issue sounds like it may have to do with the server's SSL settings more so than the request itself. If this is the case try using SSL settings to something like this.

var options = {
  key:    fs.readFileSync(key),
  cert:   fs.readFileSync(certificate),
  ca:     fs.readFileSync(CA),
  requestCert:        false,
};

https.createServer(options, app).listen(443);

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...