jeudi 2 février 2017

recently, i added the crossorigin attribute to script element to solve the mutted exception problem. but i found a strange problem, if the response header doesn't set correct access-control-allow-origin, then i get a cross origin error and the script will not execute.

here is the code:

<script src = 'http://ift.tt/2k2aWfn' crossorigin></script>

this is the error message:

Script from origin 'https://blog.sentry.io' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

this is the request header:

GET /js/script.js HTTP/1.1
Host: blog.sentry.io
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
Origin: null
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X)     AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d   Safari/600.1.4
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,ja;q=0.4
Cookie: ajs_anonymous_id=%22d6975e43-f4d3-4d98-a74e-5b319594902a%22; ajs_user_id=null; ajs_group_id=null; _ga=GA1.2.141680712.1484118184; __ar_v4=HBLTKULO45CAHNTTTEO3IG%3A20170110%3A2%7C7M3QZV2OWJGMBAGSKP2TG5%3A20170110%3A2%7CMLWCNCFTMJGD7GPDGE6RVT%3A20170110%3A2

this is the response header:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 02 Feb 2017 10:50:40 GMT
Content-Type: application/javascript; charset=utf-8
Content-Length: 35758
Connection: close
Last-Modified: Thu, 26 Jan 2017 18:37:33 GMT
Expires: Tue, 31 Jan 2017 05:01:26 GMT
Cache-Control: max-age=600
Content-Encoding: gzip
Accept-Ranges: bytes
X-Timer: S1486032640.581431,VS0,VE0
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN

i try to find answer in the whatwg specification, and the specification says:

The crossorigin attribute is a CORS settings attribute. For classic scripts, it controls whether error information will be exposed, when the script is obtained from other origins. For module scripts, it controls the credentials mode used for cross-origin requests.

Unlike classic scripts, module scripts require the use of the CORS protocol for cross-origin fetching.

so i think crossorigin attribute should only control the error information, not the execution of script.

what causes this problem? and what can i do to fix this problem now?




Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)