SSL CORS not working with Zend Guard

2019-06-13 18:38发布

问题:

I've added everything to my Apache htaccess:

Header set Access-Control-Allow-Headers: X-Requested-With
Header set Access-Control-Allow-Methods: OPTIONS
Header add Access-Control-Allow-Methods: GET
Header add Access-Control-Allow-Methods: POST
Header add Access-Control-Allow-Headers: Content-Type
Header add Access-Control-Allow-Headers: Depth
Header add Access-Control-Allow-Headers: User-Agent
Header add Access-Control-Allow-Headers: X-File-Size
Header add Access-Control-Allow-Headers: X-Requested-With
Header add Access-Control-Allow-Headers: If-Modified-Since
Header add Access-Control-Allow-Headers: X-File-Name
Header add Access-Control-Allow-Headers: Cache-Control
Header set Access-Control-Allow-Origin: http://mysite.com 
Header add Access-Control-Allow-Origin: https://mysite.com
Header set Access-Control-Allow-Credentials: true

I added this to my jquery $.ajax:

xhrFields: {
    withCredentials: true
}

Absolutely nothing works.

I'm doing $.ajax with

type: 'POST',
dataType: 'json'

I thought by setting all of those headers above, I could do json not jsonp (please no jsonp. anything but jsonp. i can't get success to fire. please.god.no)

I'm at my limits. I'm getting the good ole

XMLHttpRequest cannot load https://mysite.com/aDirectory/aSecureFile.php. Origin http://mysite.com is not allowed by Access-Control-Allow-Origin.

Please help. I'm dying here. I promise I've looked everywhere, oh, have I looked everywhere.

Many thanks in advance!

Clarity

My headers are all coming across. I can see them in my response headers, but I'm still getting the above error. Is the server blocking? The browser? Is there something special I have to do to do https? Is there another setting on Apache I have to set to allow CORS? Is my jQuery $.ajax correct? Aside from data and success and error (and the URL always being https), that's all I'm doing to the jQuery $.ajax.

Thanks again!

new

Cross Domain AJAX preflighting failing Origin check didn't help (I don't think). Added

Header set Access-Control-Allow-Headers: ORIGINS
(adjusting for sets and adds). All response headers coming down the pipe.

newer

Added these

Header add Access-Control-Allow-Headers: Origin
Header add Access-Control-Allow-Headers: Accept
still nothing

REQUEST HEADERS

Do these help?

Accept:application/json, text/javascript, /; q=0.01
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Origin:http://mysite.com
Referer:http://mysite.com/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11

PHP

header("Access-Control-Allow-Origin: http://mysite.com");
header("Access-Control-Allow-Origin: https://mysite.com");

RESPONSE HEADERS CLARITY

The RESPONSE HEADERS are coming through on all normal requests not the cross domain https ajax.

Server

CentOS 5.8, Apache 2.2.2, PHP 5.3, cPanel, WHM

Fine, if PHP not executing

So, in my haste, I copied slashingweapon's cors.php directly without php tags. I made a test page with $.ajax using the settings above.

It worked (as in there were no errors when the ajax fired) complete with response headers. As soon as I added the tags to the PHP, the error happened. I checked to see if it was a directory issue, putting it in both root and a subdirectory, fine as long as PHP is not executing.

Does this mean anything to anyone?

Is there a PHP setting that needs to be flipped?

Thanks to all for grinding this out with me!

We have a heartbeat

It looks like multiple arguments in the htacess craps my server out. I reduced all those options above to this (which is fine for me, but I pity da fool who needs more):

<IfModule mod_headers.c> <FilesMatch "\.(php)$"> Header set Access-Control-Allow-Origin: http://mysite.com Header add Access-Control-Allow-Methods: POST </FilesMatch> </IfModule>

All I put in the PHP was

echo "this works at least":

And that came in the response. Once I figure out what's causing my PHP to fail, I'll post it.

Again, thanks all!

Zend Guard the problem?

Sooooooooo, sorry guys. Forgot to add that my site's running Zend Guard. Have a feeling that's causing it.

回答1:

When the client tries to do a CORS request it first sends a "preflight" request to make sure the server supports CORS. If the preflight request passes, then the real request will be send.

Your server needs to send the right responses to CORS requests. I have a CORS PHP gist that shows how to do this.



回答2:

First you will need to make sure that mod_headers is enabled

a2enmod headers

Then, as a test, you can set the origin as a wild card in your .htaccess file

Header set Access-Control-Allow-Origin *

I'm seeing docs with and without the colon (:) and I don't have a system to test on right now so you might play with that as well.

Of course after enabling the headers, you will need to bounce apache.