問題描述 CORS
has been blocked by cors policy
the request client is not a secure context
and resource is in more-private address space private
解決方案 同源策略Same-origin policy禁止浏览器跨域访问,解决方法有CORS和JSONP 两种。CORS:Cross-origin resource sharing,用于让网页的受限资源能够被其他域名的页面访问的一种机制。有关Chrome浏览器,跨域调用JS的问题。
跨域资源共享(CORS)是 JSONP 模式的现代版。与 JSONP 不同,CORS 除了 GET 请求方法以外也支持其他的 HTTP 请求。用 CORS 可以让网页设计师用一般的 XMLHttpRequest,这种方式的错误处理比 JSONP 要来的好。另一方面,JSONP 可以在不支持 CORS 的老旧浏览器上运作。现代的浏览器都支持 CORS[12]。
升級服務器端
Update 2021: A few months after I posted this question,
the flag I referenced in my original answer was removed,
and instead of disabling a security feature
I was forced to solve the problem more satisfactorily.Private Network Access (formerly CORS-RFC1918) is
a specification that forbids requests
from less private network resources to more private network resources.
Like HTTP to HTTPS, or a remote host to localhost.The ultimate solution was to add a self-signed certificate,
and Access-Control-* headers,
which enabled requests from my remote dev server
to my localhost webpack-dev-server for assets.
conf.https = {
key: readFileSync('./.ssl/cert.key'),
cert: readFileSync('./.ssl/cert.crt'),
cacert: readFileSync('./.ssl/ca.crt'),
}conf.headers = {
'Access-Control-Allow-Private-Network': true,
'Access-Control-Allow-Origin': '*',
}
屏蔽客戶端設置
chrome://flags/#block-insecure-private-network-requests
文章图片
chrome插件Allow-Control-Allow-Origin
临时解决办法,通过chrome网上商店安装插件Allow-Control-Allow-Origin,打开开关即可。
文章图片
CORS-RFC1918
Private Network Access (formerly known as CORS-RFC1918)
restricts the ability of websites to send requests to servers on private networks.
It allows such requests only from secure contexts.
The specification also extends the Cross-Origin Resource Sharing (CORS) protocol
so that websites now have to explicitly request a grant from servers on private networks
before being allowed to send arbitrary requests.
文章图片
其它的解決方案
Private Network Access 【https://wicg.github.io/private-network-access/】,通過在MegaCorp 設置上做代理和控制。僅供參考,沒有驗證,希望有能力的同行來補充。
【网络|blocked by cors policy about CORS-RFC1918】[^1] Chrome CORS error on request to localhost dev server from remote site
[^2] Chrome 安全策略 - 私有網絡控制(CORS-RFC1918)
[^3] Private Network Access update: Introducing a deprecation trial
[^4] 谷歌浏览器(chrome)允许跨域设置的方法 https://junyiseo.com/qita/792.html
[^5] Disable same origin policy in Chrome
推荐阅读
- 网络|AWS Windows Server 2019 安全策略 Firewall
- 信息安全|网络安全自学篇
- 安全|生成自签名证书(生成证书和秘钥)
- 分布式系统|区块链核心技术-P2P网络
- 搭建自己的目标检测|【搭建自己的目标检测网络】从零开始,搭建自己的基于VGG16的目标检测网络【附代码】
- 内网渗透|内网渗透---反弹shell详解(内有各种姿势的详细过程)
- 网络|数据中心22年基础架构演进史
- 笔记|nfs网络文件系统
- 网络协议|OSPF协议总结9(防环、重发布)