Geek asks and answers

Cross Domain Downloads Using CORS

I have files uploaded by a user that I am trying to upload in 10 kilobyte chunks. I am currently using raw XMLHttpRequest (and XDomainRequest) to click each individual fragment ( File.prototoype.slice) on the front end. Back - Nginx Using Download Module.

Just for reference, here is a brief overview of how I use slice:

element.files[0].slice(...)

I understand prefix methods of cross-browser webkitSliceand mozSliceand all that.

The problem I am facing is that you are making a cross-domain transfer request. I download from server.localto upload.server.local. In Firefox, the request optionsgoes through a fine, and then the actual one postfails. In Chrome and Opera, the request optionsfails

 OPTIONS https://URL Resource failed to load

Here are the headers from Firefox:

Request Headers

OPTIONS /path/to/asset HTTP/1.1
Host: upload.server.local:8443
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: https://server.local:8443
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-disposition,content-type,x-content-range,x-session-id
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Answer Headers

HTTP/1.1 204 No Content
Server: nginx/1.2.6
Date: Wed, 13 Feb 2013 03:27:44 GMT
Connection: keep-alive
access-control-allow-origin: https://server.local:8443
Access-Control-Allow-Methods: POST, OPTIONS
Access-Control-Allow-Headers: x-content-range, origin, content-disposition, x-session-id, content-type, cache-control, pragma, referrer, host
access-control-allow-credentials: true
Access-Control-Max-Age: 10000

The actual request postnever leaves the browser. Nginx access logs never see post. For some reason, the browser stops it. How can I explain why this post is blocked?

Chromium 24
Firefox 18
Opera 12.14

I have confirmed that all browsers support CORS correctly here .

Pointing my downloads to https://cors-test.appspot.com/test, I confirmed that the problem is definitely related to server-side headers.

+5
1

POST , , POST . /, , .

  • , withCredentials = true XMLHttpRequest?
  • , ( ) SSL- ? HTTPS CORS, .
  • ? Access-Control-Max-Age: 10000 . 3 . , , , , .

, CORS , , . . , MDN CORS,

wild carding. , : Access-Control-Allow-Origin: *

https://cors-test.appspot.com/test, :

HTTP/1.1 200 OK
Cache-Control: no-cache
Access-Control-Allow-Origin: https://server.local:8443
Access-Control-Allow-Headers: content-disposition,content-type,x-content-range,x-session-id
Access-Control-Allow-Methods: POST
Access-Control-Max-Age: 0
Access-Control-Allow-Credentials: true
Cache-Control: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Content-Type: application/json
Content-Encoding: gzip
Content-Length: 35
Vary: Accept-Encoding
Date: Thu, 23 May 2013 06:37:34 GMT
Server: Google Frontend

, , , , .

+1

More articles:


All Articles