问题描述
想设置允许跨域访问TOS存储桶中的资源,但收到跨域错误消息,如何测试是否配置成功?
问题分析
可以使用 TOS 控制台或 API 将跨源资源共享 (CORS) 规则应用于存储桶。要测试存储桶上的 CORS 规则是否成功,可以使用 curl 命令进行测试。
解决方案
当 TOS 收到跨域请求或 OPTIONS 请求时,会读取存储桶对应的 CORS 规则,进行相应的权限检查并返回相应的 Header,保证跨域传输数据的安全性。
1、如果您向未配置 CORS 规则的TOS存储桶发出跨源请求,则不会返回 CORS 标头。
如下:
──(root)-[~]
└─# curl -i https://wanyix-xxxx.tos-cn-beijing.volces.com/test.py -H "Origin: example.com"
HTTP/1.1 200 OK
Content-Type: multipart/form-data; boundary=aaaeee59bfb0d3f0d16fc12cf8c42891
Content-Length: 181
Connection: keep-alive
Accept-Ranges: bytes
Date: Mon, 06 Jun 2022 09:41:05 GMT
ETag: "bcca0e55a87efb059e0a6315ba755915"
Last-Modified: Tue, 07 Sep 2021 10:25:41 GMT
x-tos-id-2: 839b0b6932b7e5f26607a462151b67a4-ac17cf0d
x-tos-request-id: 839b0b6932b7e5f26607a462151b67a4-ac17cf0d
x-tos-server-time: 9
x-tos-storage-class: STANDARD
x-tos-version-id: null
Strict-Transport-Security: max-age=15724800; includeSubDomains
从上面可以看出,并未返回跨域相关的标头,如果向存储桶发出了类似的跨域请求,则不会成功显示此内容,浏览器会将其拦截。要允许您的内容显示,请在您的TOS存储桶上配置 CORS策略。正确配置 CORS 策略可确保返回适当的标头。
2、使用 TOS 控制台配置 CORS 规则。
进入到 TOS 控制台,选择要配置的桶,选择权限管理-跨域访问设置-创建规则进行配置。
具体配置如下:
3、测试 CORS 规则。
使用 curl 测试 CORS 规则,如下:
┌──(root)-[~]
└─# curl -i https://wanyix-xxxx.tos-cn-beijing.volces.com/test.py -H "Origin: example.com"
HTTP/1.1 200 OK
Content-Type: multipart/form-data; boundary=aaaeee59bfb0d3f0d16fc12cf8c42891
Content-Length: 181
Connection: keep-alive
Accept-Ranges: bytes
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, HEAD
Access-Control-Allow-Origin: example.com
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600
Date: Mon, 06 Jun 2022 09:54:48 GMT
ETag: "bcca0e55a87efb059e0a6315ba755915"
Last-Modified: Tue, 07 Sep 2021 10:25:41 GMT
x-tos-id-2: a916459c7cc0fe7bd392e7b9007b5d35-ac1f910c
x-tos-request-id: a916459c7cc0fe7bd392e7b9007b5d35-ac1f910c
x-tos-server-time: 9
x-tos-storage-class: STANDARD
x-tos-version-id: null
Strict-Transport-Security: max-age=15724800; includeSubDomains
如果 CORS 规则配置正确,会收到200 OK 响应,并且返回了相应的标头。 访问 CORS 规则没有指定的方法,测试结果如下:
┌──(root)-[~]
└─# curl -i https://wanyix-xxxx.tos-cn-beijing.volces.com/test.py -H "Origin: example.com" -H "Access-Control-Request-Method: POST" --request OPTIONS
HTTP/1.1 403 Forbidden
Content-Type: application/json
Content-Length: 360
Connection: keep-alive
Date: Mon, 06 Jun 2022 10:05:36 GMT
x-tos-id-2: 1ea7a57fb4782bd9c2a7aa9cb7e5bc8f-ac107d0f
x-tos-request-id: 1ea7a57fb4782bd9c2a7aa9cb7e5bc8f-ac107d0f
x-tos-server-time: 1
Strict-Transport-Security: max-age=15724800; includeSubDomains
{"Code":"AccessDenied","RequestId":"1ea7a57fb4782bd9c2a7aa9cb7e5bc8f-ac107d0f","HostId":"NoJnJzrtsZlqRoTdWuqLPGdBVDJLRvpG","Message":"CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Requet-Headers are not whitelisted by the resource's CORS spec"}
上述结果可以看到,CORS 规则中只允许了GET跟 HEAD 方法,并没有允许 POST 方法,所以使用 POST 方法访问时被拒绝。 然后修改CORS规则,添加 POST 方法,再进行测试,如下:
┌──(rootkali)-[~]
└─# curl -i https://wanyix-xxxx.tos-cn-beijing.volces.com/test.py -H "Origin: example.com" -H "Access-Control-Request-Method: POST" --request OPTIONS
HTTP/1.1 200 OK
Content-Length: 0
Connection: keep-alive
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, HEAD, POST
Access-Control-Allow-Origin: example.com
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600
Date: Mon, 06 Jun 2022 10:12:41 GMT
x-tos-id-2: 30380a94a306da02929eed8ae72f6b0b-ac162510
x-tos-request-id: 30380a94a306da02929eed8ae72f6b0b-ac162510
x-tos-server-time: 1
Strict-Transport-Security: max-age=15724800; includeSubDomains
如果您有其他问题,欢迎您联系火山引擎技术支持服务
