更新 chrome 94.0.4606.61 后,访问网站出现 CORS 错误!

2021-09-27 13:32:40 +08:00
 s609926202

就是请求 CDN 资源,会发生错误。

我的网站是:www.abc.com

请求: https://cdn.jsdelivr.net/npm/luckysheet/dist/plugins/js/plugin.js 之类的资源,网络中提示:CORS 错误,控制台提示:

Access to CSS stylesheet at 'https://cdn.jsdelivr.net/npm/luckysheet/dist/assets/iconfont/iconfont.css' from origin 'http://www.abc.com' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`.

查询网上都是在 nginx 层处理,如:

add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS'

已经在 www.abc.com 的 nginx 配置中进行如上设置,还是提示 CORS 设置?

请问如何正确的处理?

5140 次点击
所在节点    Chrome
20 条回复
mercury233
2021-09-27 13:42:18 +08:00
chrome 这不允许不安全网页加载安全资源是什么鬼思路,这年头用不安全连接的都有苦衷,不允许加载安全资源基本就是逼人全换 http
s609926202
2021-09-27 13:57:14 +08:00
@mercury233 是 http 导致的?
cairnechen
2021-09-27 14:10:39 +08:00
@s609926202

听上去好像意思是 http 的网页不能加载 https 的资源,比如图片?
mercury233
2021-09-27 14:11:20 +08:00
@s609926202 没有找到相关的资料,可能是 chrome 的 bug,或者你与 cdn.jsdelivr.net 的连接存在问题。把你的 www.abc.com 升级到 https 很可能也不能解决
s609926202
2021-09-27 14:14:52 +08:00
@cairnechen 没有加载图片,只加载了 js 资源
oldshensheep
2021-09-27 14:19:01 +08:00
mercury233
2021-09-27 14:23:53 +08:00
@oldshensheep 但 jsdelivr 是公开的网站,为什么被 chrome 归类成 more-private 了
cairnechen
2021-09-27 14:25:51 +08:00
@s609926202

举个例子而已
cairnechen
2021-09-27 14:27:12 +08:00
@cairnechen

#3 是 回复 #2 对#1 的回复
Vegetable
2021-09-27 14:27:34 +08:00
以前是 https 页面不能加载 http 资源,不能降低安全等级,很好。
现在是 http 网页不能加载 https 资源,就有点反直觉了
oldshensheep
2021-09-27 14:40:13 +08:00
Chrome will introduce the following changes:

Blocking requests to private networks from insecure public websites starting in Chrome 94.

Introducing a deprecation trial which will end in Chrome 101. It will allow developers to request a time extension for chosen origins, which will not be affected during the deprecation trial.

Introducing a Chrome policy which will allow managed Chrome deployments to bypass the deprecation permanently. Available in Chrome 92.


What is Private Network Access

Private Network Access (formerly known as CORS-RFC1918) restricts the ability of websites to send requests to servers on private networks. It allows such requests only from secure contexts. The specification also extends the Cross-Origin Resource Sharing (CORS) protocol so that websites now have to explicitly request a grant from servers on private networks before being allowed to send arbitrary requests.

楼主开了代理导致访问那个 cdn 变成了本地地址?
oldshensheep
2021-09-27 14:57:00 +08:00
看来还真是代理导致 ip 变了。(其实也可以看作没变,看具体实现)
In the current implementation of this specification in Chromium, proxies influence the address space of resources they proxy. **Specifically, resources fetched via proxies are considered to have been fetched from the proxy’s IP address itself.**
通过代理获取的资源,被看作是从代理的 ip 那里获取的……
https://wicg.github.io/private-network-access/#proxies
mercury233
2021-09-27 15:01:38 +08:00
@oldshensheep 已经报 BUG 了,目前这个策略只对 HTTP 网站生效,将来必然会扩展到所有网站,那时使用代理才能加载的那些 cdn 资源恐怕就都会被拦了
oldshensheep
2021-09-27 15:32:36 +08:00
@mercury233 应该不会对 https 生效,因为 chrome 提到的解决办法就是把网站升级到 https 。
搞这个东西主要是因为当前 http 的网站可以随意访问本地网络中的服务,如果你有一个路由器是弱口令,网站就可以把你路由器控制了。
升级到 https 就不行了,https 虽然可以访问 localhost 但是不能访问本地网络的其他地址。除非……看链接。
https://developer.chrome.com/blog/private-network-access-update/#accessing-private-ip-addresses
fndroid
2021-09-27 17:22:42 +08:00
@oldshensheep

“Blocking requests to private networks from insecure public websites starting in Chrome 94.” 这个似乎还是禁止公用网络向专用或本地网络请求,题主的情况应是反过来的。
fndroid
2021-09-27 18:04:47 +08:00
比较有可能是因为这个 www.abc.com 被加到了 Clash for Windows 的 bypass 里了
s609926202
2021-09-27 20:50:57 +08:00
@fndroid #16 是的,这个 bypass 我理解是不走代理,理解错了吗?
fndroid
2021-09-27 21:54:58 +08:00
@s609926202 加到 bypass 就会触发上面说的 cors 规则,因为被代理的域名都是 local,而你 bypass 的域名是 public
wujunchuan2008
2021-09-29 02:19:31 +08:00
这个开关可以关闭这个特性 chrome://flags/#block-insecure-private-network-requests
cindy1024
2021-09-29 14:39:03 +08:00

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/804587

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX