blocked by cors policy about CORS-RFC1918,或者local

2021-11-03 14:35:17

报错信息 has been blocked by CORS policy: The request client is not a secure context

the resource is in more-private address space `private`

之前用的好好的,突然就出错了。

我一猜就是google浏览器升级引起的问题,加深了安全机制。

但是我不知道怎么操作。

浪费了半天,终于找到解决办法了。

一开始的时间事再解决替换的js在chrome控制台监控网络的时候提示 

Failed to load response data: No content available beacase thie request was redirected

一直在上面费工夫解决问题了

其实操作正确与否,都会是这样的提示,记得看console里面的报错。解决了问题。


参考连接 blocked by cors policy about CORS-RFC1918

参考地址2 https://wicg.github.io/private-network-access/



問題描述

has been blocked by cors policy 

the request client is not a secure context 

and resource is in more-private address space private

1

2

3

解決方案

升級服務器端

Update 2021: A few months after I posted this question, 

the flag I referenced in my original answer was removed, 

and instead of disabling a security feature 

I was forced to solve the problem more satisfactorily.


Private Network Access (formerly CORS-RFC1918) is 

a specification that forbids requests 

from less private network resources to more private network resources. 

Like HTTP to HTTPS, or a remote host to localhost.


The ultimate solution was to add a self-signed certificate, 

and Access-Control-* headers, 

which enabled requests from my remote dev server 

to my localhost webpack-dev-server for assets.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

conf.https = {

  key: readFileSync('./.ssl/cert.key'),

  cert: readFileSync('./.ssl/cert.crt'),

  cacert: readFileSync('./.ssl/ca.crt'),

}


conf.headers = {

  'Access-Control-Allow-Private-Network': true,

  'Access-Control-Allow-Origin': '*',

}

1

2

3

4

5

6

7

8

9

10

屏蔽客戶端設置

chrome://flags/#block-insecure-private-network-requests



CORS-RFC1918

Private Network Access (formerly known as CORS-RFC1918) 

restricts the ability of websites to send requests to servers on private networks. 

It allows such requests only from secure contexts. 

The specification also extends the Cross-Origin Resource Sharing (CORS) protocol 

so that websites now have to explicitly request a grant from servers on private networks 

before being allowed to send arbitrary requests.

1

2

3

4

5

6



其它的解決方案

Private Network Access 【https://wicg.github.io/private-network-access/】,通過在MegaCorp 設置上做代理和控制。僅供參考,沒有驗證,希望有能力的同行來補充。


[^1] Chrome CORS error on request to localhost dev server from remote site

[^2] Chrome 安全策略 - 私有網絡控制(CORS-RFC1918)

[^3] Private Network Access update: Introducing a deprecation trial

————————————————

版权声明:本文为CSDN博主「MyFreeIT」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。

原文链接:https://blog.csdn.net/MyFreeIT/article/details/120437772


  • 2019-02-19 10:01:55

    node下使用open模块在指定浏览器下打开url

    最近在做一个项目的过程中,得到一个远程二维码图片的url,需要扫码登录,每次都是在控制台发url打印出来,再复制粘贴到浏览器的地址栏中打开扫码,整个过程过于繁琐,于是想找一个模块,直接在node下,指定浏览器打开该图片。这样可以省不少事。

  • 2019-02-24 09:47:09

    解决Node.js的命令行输出中文乱码问题(也适用于Electron)

    ​一般我们的js文件都是试用utf8编码保存的,但是中文windows的命令行一般默认使用cp936编码(就是gbk),这样我们用js代码 console.log('中文');输出日志的时候,会发现输出的是乱码。 网上有提供一些解决方案,典型的就是用iconv或iconv-lite,把这些中文字符串先转成gbk再输出。 但是这个方案我试了多次,在win10的命令行下,utf8的字符串是成功转成了gbk字符串了(通过打印Buffer可以见到),但是输出还是乱码。

  • 2019-02-25 10:05:41

    Android Socket连接(模拟心跳包,断线重连,发送数据等)

    因为是要保证全局只能有一个连接,而且我们还需要在不同的Activity中发指令,因此肯定不能在需要发指令的界面中都去连接socket,这样一来不好管理,性能也不好,重复代码也会比较多,所以想了一下还是把socket放到service中比较好,发指令功能都放在service中即可。

  • 2019-02-28 15:54:24

    HTTP协议缓存策略深入详解之ETAG妙用

      HTTP协议规格说明定义ETag为“被请求变量的实体值” 。另一种说法是,ETag是一个可以与Web资源关联的记号(token)。典型的Web资源可以一个Web页,但也可能是JSON或XML文档。服务器单独负责判断记号是什么及其含义,并在HTTP响应头中将其传送到客户端。