blocked by cors policy about CORS-RFC1918

問題描述 CORS

has been blocked by cors policy 
the request client is not a secure context 
and resource is in more-private address space private

解決方案

同源策略Same-origin policy禁止浏览器跨域访问,解决方法有CORS和JSONP 两种。CORS:Cross-origin resource sharing,用于让网页的受限资源能够被其他域名的页面访问的一种机制。有关Chrome浏览器,跨域调用JS的问题。

跨域资源共享(CORS)是 JSONP 模式的现代版。与 JSONP 不同,CORS 除了 GET 请求方法以外也支持其他的 HTTP 请求。用 CORS 可以让网页设计师用一般的 XMLHttpRequest,这种方式的错误处理比 JSONP 要来的好。另一方面,JSONP 可以在不支持 CORS 的老旧浏览器上运作。现代的浏览器都支持 CORS[12]。

升級服務器端

Update 2021: A few months after I posted this question, 
the flag I referenced in my original answer was removed, 
and instead of disabling a security feature 
I was forced to solve the problem more satisfactorily.

Private Network Access (formerly CORS-RFC1918) is 
a specification that forbids requests 
from less private network resources to more private network resources. 
Like HTTP to HTTPS, or a remote host to localhost.

The ultimate solution was to add a self-signed certificate, 
and Access-Control-* headers, 
which enabled requests from my remote dev server 
to my localhost webpack-dev-server for assets.
conf.https = {
  key: readFileSync('./.ssl/cert.key'),
  cert: readFileSync('./.ssl/cert.crt'),
  cacert: readFileSync('./.ssl/ca.crt'),
}

conf.headers = {
  'Access-Control-Allow-Private-Network': true,
  'Access-Control-Allow-Origin': '*',
}

屏蔽客戶端設置

chrome://flags/#block-insecure-private-network-requests
blocked by cors policy about CORS-RFC1918_第1张图片

chrome插件Allow-Control-Allow-Origin

临时解决办法,通过chrome网上商店安装插件Allow-Control-Allow-Origin,打开开关即可。
blocked by cors policy about CORS-RFC1918_第2张图片

CORS-RFC1918

Private Network Access (formerly known as CORS-RFC1918) 
restricts the ability of websites to send requests to servers on private networks. 
It allows such requests only from secure contexts. 
The specification also extends the Cross-Origin Resource Sharing (CORS) protocol 
so that websites now have to explicitly request a grant from servers on private networks 
before being allowed to send arbitrary requests.

blocked by cors policy about CORS-RFC1918_第3张图片

其它的解決方案

Private Network Access 【https://wicg.github.io/private-network-access/】,通過在MegaCorp 設置上做代理和控制。僅供參考,沒有驗證,希望有能力的同行來補充。

[^1] Chrome CORS error on request to localhost dev server from remote site
[^2] Chrome 安全策略 - 私有網絡控制(CORS-RFC1918)
[^3] Private Network Access update: Introducing a deprecation trial
[^4] 谷歌浏览器(chrome)允许跨域设置的方法 https://junyiseo.com/qita/792.html
[^5] Disable same origin policy in Chrome

你可能感兴趣的:(网络,http,https,网络协议,chrome)