14

以下跨域 POST 请求的内容类型为 multipart/form-data,并且仅预检了简单的标头。根据 W3C 规范,除非我读错了,否则不应预检。我已经确认这发生在 Chrome 27 和 Firefox 10.8.3 中。我还没有测试任何其他浏览器。

以下是请求标头等:

Request URL:http://192.168.130.135:8081/upload/receiver
Request Method:POST
Status Code:200 OK
Request Headersview source
Accept:*/*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:27129
Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryix5VzTyVtCMwcNv6
Host:192.168.130.135:8081
Origin:http://192.168.130.135:8080
Referer:http://192.168.130.135:8080/test/raytest-jquery.html
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.37 Safari/537.36

这是 OPTIONS (预检)请求:

Request URL:http://192.168.130.135:8081/upload/receiver
Request Method:OPTIONS
Status Code:200 OK
Request Headersview source
Accept:*/*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:origin, content-type
Access-Control-Request-Method:POST
Connection:keep-alive
Host:192.168.130.135:8081
Origin:http://192.168.130.135:8080
Referer:http://192.168.130.135:8080/test/raytest-jquery.html
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.37 Safari/537.36

规范似乎很清楚:

更新:这里有一些简单的客户端代码可以重现这个:

var xhr = new XMLHttpRequest(),
    formData = new FormData();

formData.append('myfile', someFileObj);

xhr.upload.progress = function(e) {
    //insert upload progress logic here
};

xhr.open('POST', 'http://192.168.130.135:8080/upload/receiver', true);
xhr.send(formData);

有谁知道为什么要预检?

4

2 回答 2

21

我最终检查了 Webkit 源代码以试图弄清楚这一点(在 Google 没有产生任何有用的点击之后)。onprogress事实证明,只要您注册了一个事件处理程序,Webkit 就会强制对任何跨域请求进行预检。即使在阅读了代码注释之后,我也不完全确定为什么要应用这种逻辑。

在 XMLHttpRequest.cpp 中: 

void XMLHttpRequest::createRequest(ExceptionCode& ec)
{
    ...

    options.preflightPolicy = uploadEvents ? ForcePreflight : ConsiderPreflight;

    ...

    // The presence of upload event listeners forces us to use preflighting because POSTing to an URL that does not
    // permit cross origin requests should look exactly like POSTing to an URL that does not respond at all.
    // Also, only async requests support upload progress events.
    bool uploadEvents = false;
    if (m_async) {
        m_progressEventThrottle.dispatchEvent(XMLHttpRequestProgressEvent::create(eventNames().loadstartEvent));
        if (m_requestEntityBody && m_upload) {
            uploadEvents = m_upload->hasEventListeners();
            m_upload->dispatchEvent(XMLHttpRequestProgressEvent::create(eventNames().loadstartEvent));
        }
    }

    ...
}


更新: Firefox 应用与 Webkit 相同的逻辑,它出现了。以下是来自 nsXMLHttpRequest.cpp 的相关代码:

nsresult
nsXMLHttpRequest::CheckChannelForCrossSiteRequest(nsIChannel* aChannel)
{
    ...

    // Check if we need to do a preflight request.
    nsCOMPtr<nsIHttpChannel> httpChannel = do_QueryInterface(aChannel);
    NS_ENSURE_TRUE(httpChannel, NS_ERROR_DOM_BAD_URI);

    nsAutoCString method;
    httpChannel->GetRequestMethod(method);
    if (!mCORSUnsafeHeaders.IsEmpty() ||
        (mUpload && mUpload->HasListeners()) ||
        (!method.LowerCaseEqualsLiteral("get") &&
         !method.LowerCaseEqualsLiteral("post") &&
         !method.LowerCaseEqualsLiteral("head"))) {
      mState |= XML_HTTP_REQUEST_NEED_AC_PREFLIGHT;
    }

    ...
}

注意mUpload && mUpload->HasListeners()条件的部分。

似乎 Webkit 和 Firefox(可能还有其他)在他们的预检代码中插入了一些逻辑,而 W3C 规范没有批准这些逻辑。如果我在规范中遗漏了什么,请发表评论。

于 2013-06-12T04:49:12.173 回答
1

我的猜测是Content-Type标题上的“边界”引起了问题。如果您能够重现此问题,则应将其作为浏览器错误提交,因为规范规定Content-Type标头检查应排除参数。

于 2013-06-12T04:05:22.287 回答