就是请求 CDN 资源,会发生错误。
我的网站是:www.abc.com
请求: https://cdn.jsdelivr.net/npm/luckysheet/dist/plugins/js/plugin.js 之类的资源,网络中提示:CORS 错误,控制台提示:
Access to CSS stylesheet at 'https://cdn.jsdelivr.net/npm/luckysheet/dist/assets/iconfont/iconfont.css' from origin 'http://www.abc.com' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`.
查询网上都是在 nginx 层处理,如:
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS'
已经在 www.abc.com 的 nginx 配置中进行如上设置,还是提示 CORS 设置?
请问如何正确的处理?
1
mercury233 2021-09-27 13:42:18 +08:00
chrome 这不允许不安全网页加载安全资源是什么鬼思路,这年头用不安全连接的都有苦衷,不允许加载安全资源基本就是逼人全换 http
|
2
s609926202 OP @mercury233 是 http 导致的?
|
3
cairnechen 2021-09-27 14:10:39 +08:00
|
4
mercury233 2021-09-27 14:11:20 +08:00
@s609926202 没有找到相关的资料,可能是 chrome 的 bug,或者你与 cdn.jsdelivr.net 的连接存在问题。把你的 www.abc.com 升级到 https 很可能也不能解决
|
5
s609926202 OP @cairnechen 没有加载图片,只加载了 js 资源
|
6
oldshensheep 2021-09-27 14:19:01 +08:00
|
7
mercury233 2021-09-27 14:23:53 +08:00
@oldshensheep 但 jsdelivr 是公开的网站,为什么被 chrome 归类成 more-private 了
|
8
cairnechen 2021-09-27 14:25:51 +08:00
|
9
cairnechen 2021-09-27 14:27:12 +08:00
|
10
Vegetable 2021-09-27 14:27:34 +08:00
以前是 https 页面不能加载 http 资源,不能降低安全等级,很好。
现在是 http 网页不能加载 https 资源,就有点反直觉了 |
11
oldshensheep 2021-09-27 14:40:13 +08:00
Chrome will introduce the following changes:
Blocking requests to private networks from insecure public websites starting in Chrome 94. Introducing a deprecation trial which will end in Chrome 101. It will allow developers to request a time extension for chosen origins, which will not be affected during the deprecation trial. Introducing a Chrome policy which will allow managed Chrome deployments to bypass the deprecation permanently. Available in Chrome 92. What is Private Network Access Private Network Access (formerly known as CORS-RFC1918) restricts the ability of websites to send requests to servers on private networks. It allows such requests only from secure contexts. The specification also extends the Cross-Origin Resource Sharing (CORS) protocol so that websites now have to explicitly request a grant from servers on private networks before being allowed to send arbitrary requests. 楼主开了代理导致访问那个 cdn 变成了本地地址? |
12
oldshensheep 2021-09-27 14:57:00 +08:00 1
看来还真是代理导致 ip 变了。(其实也可以看作没变,看具体实现)
In the current implementation of this specification in Chromium, proxies influence the address space of resources they proxy. **Specifically, resources fetched via proxies are considered to have been fetched from the proxy’s IP address itself.** 通过代理获取的资源,被看作是从代理的 ip 那里获取的…… https://wicg.github.io/private-network-access/#proxies |
13
mercury233 2021-09-27 15:01:38 +08:00
@oldshensheep 已经报 BUG 了,目前这个策略只对 HTTP 网站生效,将来必然会扩展到所有网站,那时使用代理才能加载的那些 cdn 资源恐怕就都会被拦了
|
14
oldshensheep 2021-09-27 15:32:36 +08:00
@mercury233 应该不会对 https 生效,因为 chrome 提到的解决办法就是把网站升级到 https 。
搞这个东西主要是因为当前 http 的网站可以随意访问本地网络中的服务,如果你有一个路由器是弱口令,网站就可以把你路由器控制了。 升级到 https 就不行了,https 虽然可以访问 localhost 但是不能访问本地网络的其他地址。除非……看链接。 https://developer.chrome.com/blog/private-network-access-update/#accessing-private-ip-addresses |
15
fndroid 2021-09-27 17:22:42 +08:00
@oldshensheep
“Blocking requests to private networks from insecure public websites starting in Chrome 94.” 这个似乎还是禁止公用网络向专用或本地网络请求,题主的情况应是反过来的。 |
16
fndroid 2021-09-27 18:04:47 +08:00
比较有可能是因为这个 www.abc.com 被加到了 Clash for Windows 的 bypass 里了
|
17
s609926202 OP @fndroid #16 是的,这个 bypass 我理解是不走代理,理解错了吗?
|
18
fndroid 2021-09-27 21:54:58 +08:00
@s609926202 加到 bypass 就会触发上面说的 cors 规则,因为被代理的域名都是 local,而你 bypass 的域名是 public
|
19
wujunchuan2008 2021-09-29 02:19:31 +08:00 via iPhone 1
这个开关可以关闭这个特性 chrome://flags/#block-insecure-private-network-requests
|
20
cindy1024 2021-09-29 14:39:03 +08:00
@wujunchuan2008 感谢
|