From 218934fa2ed1c702a6d3923d2aa2cc6b43c48684 Mon Sep 17 00:00:00 2001 From: Peter Bengtsson Date: Tue, 8 Dec 2020 14:43:23 -0500 Subject: initial commit --- .../http/cors/errors/corsdidnotsucceed/index.html | 22 +++++++ .../cors/errors/corsmissingalloworigin/index.html | 48 ++++++++++++++ .../errors/corsnotsupportingcredentials/index.html | 32 +++++++++ files/zh-tw/web/http/cors/errors/index.html | 76 ++++++++++++++++++++++ 4 files changed, 178 insertions(+) create mode 100644 files/zh-tw/web/http/cors/errors/corsdidnotsucceed/index.html create mode 100644 files/zh-tw/web/http/cors/errors/corsmissingalloworigin/index.html create mode 100644 files/zh-tw/web/http/cors/errors/corsnotsupportingcredentials/index.html create mode 100644 files/zh-tw/web/http/cors/errors/index.html (limited to 'files/zh-tw/web/http/cors/errors') diff --git a/files/zh-tw/web/http/cors/errors/corsdidnotsucceed/index.html b/files/zh-tw/web/http/cors/errors/corsdidnotsucceed/index.html new file mode 100644 index 0000000000..b265a0ca1c --- /dev/null +++ b/files/zh-tw/web/http/cors/errors/corsdidnotsucceed/index.html @@ -0,0 +1,22 @@ +--- +title: 原因:CORS 請求未成功 +slug: Web/HTTP/CORS/Errors/CORSDidNotSucceed +translation_of: Web/HTTP/CORS/Errors/CORSDidNotSucceed +--- +
{{HTTPSidebar}}
+ +

原因

+ +
Reason: CORS request did not succeed
+ +

哪邊出錯了?

+ +

使用 CORS 的 {{Glossary("HTTP")}} 請求失敗,因為 HTTP 連線在網路或協定層級失敗。這個錯誤和 CORS 沒有直接關係,but is a fundamental network error of some kind.

+ +

參見

+ + diff --git a/files/zh-tw/web/http/cors/errors/corsmissingalloworigin/index.html b/files/zh-tw/web/http/cors/errors/corsmissingalloworigin/index.html new file mode 100644 index 0000000000..fde9e0e0bd --- /dev/null +++ b/files/zh-tw/web/http/cors/errors/corsmissingalloworigin/index.html @@ -0,0 +1,48 @@ +--- +title: 原因:缺少 CORS 標頭 'Access-Control-Allow-Origin' +slug: Web/HTTP/CORS/Errors/CORSMissingAllowOrigin +translation_of: Web/HTTP/CORS/Errors/CORSMissingAllowOrigin +--- +
{{HTTPSidebar}}
+ +

原因

+ +
Reason: CORS header 'Access-Control-Allow-Origin' missing
+ +

What went wrong?

+ +

The response to the {{Glossary("CORS")}} request is missing the required {{HTTPHeader("Access-Control-Allow-Origin")}} header, which is used to determine whether or not the resource can be accessed by content operating within the current origin.

+ +

If the server is under your control, add the origin of the requesting site to the set of domains permitted access by adding it to the Access-Control-Allow-Origin header's value.

+ +

For example, to allow a site at https://amazing.site to access the resource using CORS, the header should be:

+ +
Access-Control-Allow-Origin: https://amazing.site
+ +

You can also configure a site to allow any site to access it by using the "*" wildcard. You should only use this for public APIs. Private APIs should never use "*", and should instead have a specific domain or domains set. In addition, the wildcard only works for requests made with the {{htmlattrxref("crossorigin")}} attribute set to "anonymous".

+ +
Access-Control-Allow-Origin: *
+ +
+

Warning: Using the wildcard to allow all sites to access a private API is a bad idea for what should be obvious reasons.

+
+ +

 

+ +

For example, in Apache, add a line such as the following to the server's configuration (within the appropriate <Directory>, <Location>, <Files>, or <VirtualHost> section). The configuration is typically found in a .conf file (httpd.conf and apache.conf are common names for these), or in an .htaccess file.

+ +
Header set Access-Control-Allow-Origin 'origin-list'
+ +

For Nginx, the command to set up this header is:

+ +
add_header 'Access-Control-Allow-Origin' 'origin-list'
+ +

 

+ +

參見

+ + diff --git a/files/zh-tw/web/http/cors/errors/corsnotsupportingcredentials/index.html b/files/zh-tw/web/http/cors/errors/corsnotsupportingcredentials/index.html new file mode 100644 index 0000000000..8c971d93f5 --- /dev/null +++ b/files/zh-tw/web/http/cors/errors/corsnotsupportingcredentials/index.html @@ -0,0 +1,32 @@ +--- +title: 原因:CORS 'Access-Control-Allow-Origin' 設定為「*」時不支援使用帳號密碼 +slug: Web/HTTP/CORS/Errors/CORSNotSupportingCredentials +translation_of: Web/HTTP/CORS/Errors/CORSNotSupportingCredentials +--- +
{{HTTPSidebar}}
+ +

原因

+ +
Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
+ +

What went wrong?

+ +

The {{Glossary("CORS")}} request was attempted with the credentials flag set, but the server is configured using the wildcard ("*") as the value of {{HTTPHeader("Access-Control-Allow-Origin")}}, which doesn't allow the use of credentials.

+ +

To correct this problem on the client side, simply ensure that the credentials flag's value is false when issuing your CORS request.

+ + + +

If, instead, you need to adjust the server's behavior, you'll need to change the value of Access-Control-Allow-Origin to grant access to the origin from which the client is loaded.

+ +

參見

+ + diff --git a/files/zh-tw/web/http/cors/errors/index.html b/files/zh-tw/web/http/cors/errors/index.html new file mode 100644 index 0000000000..d1dd12dc75 --- /dev/null +++ b/files/zh-tw/web/http/cors/errors/index.html @@ -0,0 +1,76 @@ +--- +title: CORS errors +slug: Web/HTTP/CORS/Errors +tags: + - CORS + - Errors + - HTTP + - HTTPS + - Messages + - NeedsTranslation + - Same-origin + - Security + - TopicStub + - console + - troubleshooting +translation_of: Web/HTTP/CORS/Errors +--- +
{{HTTPSidebar}}
+ +

Cross-Origin Resource Sharing ({{Glossary("CORS")}}) is a standard that allows a server to relax the same-origin policy. This is used to explicitly allow some cross-origin requests while rejecting others. For example, if a site offers an embeddable service, it may be necessary to relax certain restrictions. Setting up such a CORS configuration isn't necessarily easy and may present some challenges. In these pages, we'll look into some common CORS error messages and how to resolve them.

+ +

If the CORS configuration isn't setup correctly, the browser console will present an error like "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at $somesite" indicating that the request was blocked due to violating the CORS security rules. This might not necessarily be a set-up mistake, though. It's possible that the request is in fact intentionally being disallowed by the user's web application and remote external service. However, If the endpoint is meant to be available, some debugging is needed to succeed.

+ +

Identifying the issue

+ +

To understand the underlying issue with the CORS configuration, you need to find out which request is at fault and why. These steps may help you do so:

+ +
    +
  1. Navigate to the web site or web app in question and open the Developer Tools.
    2. +
  2. Now try to reproduce the failing transaction and check the console if you are seeing a CORS violation error message. It will probably look like this:
    3. +
+ +

Firefox console showing CORS error

+ +

The text of the error message will be something similar to the following:

+ +
Cross-Origin Request Blocked: The Same Origin Policy disallows
+reading the remote resource at https://some-url-here. (Reason:
+additional information here).
+ +
+

Note: For security reasons, specifics about what went wrong with a CORS request are not available to JavaScript code. All the code knows is that an error occurred. The only way to determine what specifically went wrong is to look at the browser's console for details.

+
+ +

CORS error messages

+ +

Firefox's console displays messages in its console when requests fail due to CORS. Part of the error text is a "reason" message that provides added insight into what went wrong.  The reason messages are listed below; click the message to open an article explaining the error in more detail and offering possible solutions.

+ + + +

See also

+ + -- cgit v1.2.3-54-g00ecf