Record of a cross domain problem

Preface

Last project , For some reason , Need from https Access changed to http visit , There are cross domain problems in the transformation , Record... Here .

Project use nginx Acting as a reverse agent .

reform HTTP

When you visit the website browser, you will automatically jump to https, Need to put nginx http Redirect to https It's annotated

server {    listen 80;    listen [::]:80;    server_name server_name;    location ^~ /.well-known/acme-challenge/ {        default_type "text/plain";        root         /usr/share/;    }    location = /.well-known/acme-challenge/ {        return 404;    }  #  location / {  #      return 301 https://$host$request_uri;  #  }}

So when we visit the browser , Will not automatically redirect us to https

Cross domain

It's changed to http Cross domain occurs when , The general solution is to nginx Add the following configuration

add_header 'Access-Control-Allow-Origin' '*';

But we also made the following mistakes

from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

This error means that during the pre inspection , The browser does not allow redirection .

We see the MDN Definition of cross domain

Cross domain is actually a protection of browser access to different domains , Otherwise, anyone can access the resources of your domain name at will , It's also terrifying

In the case of not simple requests , Browsers usually publish one options Pre inspection request , To know if the server allows the actual request ." Pre inspection request “ Use , It can avoid the unexpected impact of cross domain requests on the user data of the server .

This design is very humanized , You can't add it directly to your business request ？

Back to our question , During the pre inspection , Redirection is not allowed , But my address is not redirected , Is something secretly giving me a layer of redirection behind my back ？

Request link ： browser --》nginx--》 Business

Business is definitely not redirected , Browsers will not redirect for no reason , Then only NGINX 了

Open the browser console , In the network layer, we can see

Browser pre check found that the status code is 307, That must be redirection , And a point of attention ,Non-Authoriatative-Reason was HTTPS, We've already nginx Of https Instead of http, The domain name visited is also http, So there must be something wrong with this place

add_header Strict-Transport-Security "max-age=63072000" always;

The reason is mine nginx There is this configuration in the configuration , It means Inform the browser that all requests for the current domain name use https, That's why I ask for http, stay options When detecting , Automatically redirect me to https, and cros It is stipulated that before the pre inspection is completed , Redirection is not allowed , So it leads to the problem here

Remove this sentence , Or change it to the following form , restart nginx, Clean up browser cache , Or use traceless mode to access ,options There will be no redirection .

add_header Strict-Transport-Security max-age=0;