这是一个创建于 1485 天前的主题,其中的信息可能已经有所发展或是发生改变。
就是请求 CDN 资源,会发生错误。
我的网站是:www.abc.com
请求: https://cdn.jsdelivr.net/npm/luckysheet/dist/plugins/js/plugin.js 之类的资源,网络中提示:CORS 错误,控制台提示:
Access to CSS stylesheet at 'https://cdn.jsdelivr.net/npm/luckysheet/dist/assets/iconfont/iconfont.css' from origin 'http://www.abc.com' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`. 查询网上都是在 nginx 层处理,如:
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' 已经在 www.abc.com 的 nginx 配置中进行如上设置,还是提示 CORS 设置?
请问如何正确的处理?
第 1 条附言 2021-09-27 14:27:09 +08:00
又一次被坑爹的 Clash For Windows 坑了,关闭代理后,访问正常。。。
这他(>^ω^<)喵的、
这他(>^ω^<)喵的、
20 条回复 2021-09-29 14:39:03 +08:00
 | 1 mercury233 2021-09-27 13:42:18 +08:00 chrome 这不允许不安全网页加载安全资源是什么鬼思路,这年头用不安全连接的都有苦衷,不允许加载安全资源基本就是逼人全换 http |
 | 2 s609926202 OP @mercury233 是 http 导致的? |
 | 3 cairnechen 2021-09-27 14:10:39 +08:00 |
| 4 mercury233 2021-09-27 14:11:20 +08:00 @s609926202 没有找到相关的资料,可能是 chrome 的 bug,或者你与 cdn.jsdelivr.net 的连接存在问题。把你的 www.abc.com 升级到 https 很可能也不能解决 |
| 5 s609926202 OP @cairnechen 没有加载图片,只加载了 js 资源 |
 | 6 oldshensheep 2021-09-27 14:19:01 +08:00 |
| 7 mercury233 2021-09-27 14:23:53 +08:00 @oldshensheep 但 jsdelivr 是公开的网站,为什么被 chrome 归类成 more-private 了 |
| 8 cairnechen 2021-09-27 14:25:51 +08:00 |
| 9 cairnechen 2021-09-27 14:27:12 +08:00 |
 | 10 Vegetable 2021-09-27 14:27:34 +08:00 以前是 https 页面不能加载 http 资源,不能降低安全等级,很好。 现在是 http 网页不能加载 https 资源,就有点反直觉了 |
| 11 oldshensheep 2021-09-27 14:40:13 +08:00 Chrome will introduce the following changes: Blocking requests to private networks from insecure public websites starting in Chrome 94. Introducing a deprecation trial which will end in Chrome 101. It will allow developers to request a time extension for chosen origins, which will not be affected during the deprecation trial. Introducing a Chrome policy which will allow managed Chrome deployments to bypass the deprecation permanently. Available in Chrome 92. What is Private Network Access Private Network Access (formerly known as CORS-RFC1918) restricts the ability of websites to send requests to servers on private networks. It allows such requests only from secure contexts. The specification also extends the Cross-Origin Resource Sharing (CORS) protocol so that websites now have to explicitly request a grant from servers on private networks before being allowed to send arbitrary requests. 楼主开了代理导致访问那个 cdn 变成了本地地址? |
| 12 oldshensheep 2021-09-27 14:57:00 +08:00  1 看来还真是代理导致 ip 变了。(其实也可以看作没变,看具体实现) In the current implementation of this specification in Chromium, proxies influence the address space of resources they proxy. **Specifically, resources fetched via proxies are considered to have been fetched from the proxy’s IP address itself.** 通过代理获取的资源,被看作是从代理的 ip 那里获取的…… https://wicg.github.io/private-network-access/#proxies |
| 13 mercury233 2021-09-27 15:01:38 +08:00 @oldshensheep 已经报 BUG 了,目前这个策略只对 HTTP 网站生效,将来必然会扩展到所有网站,那时使用代理才能加载的那些 cdn 资源恐怕就都会被拦了 |
| 14 oldshensheep 2021-09-27 15:32:36 +08:00 @mercury233 应该不会对 https 生效,因为 chrome 提到的解决办法就是把网站升级到 https 。 搞这个东西主要是因为当前 http 的网站可以随意访问本地网络中的服务,如果你有一个路由器是弱口令,网站就可以把你路由器控制了。 升级到 https 就不行了,https 虽然可以访问 localhost 但是不能访问本地网络的其他地址。除非……看链接。 https://developer.chrome.com/blog/private-network-access-update/#accessing-private-ip-addresses |
 | 15 fndroid 2021-09-27 17:22:42 +08:00 @oldshensheep “Blocking requests to private networks from insecure public websites starting in Chrome 94.” 这个似乎还是禁止公用网络向专用或本地网络请求,题主的情况应是反过来的。 |
| 16 fndroid 2021-09-27 18:04:47 +08:00 比较有可能是因为这个 www.abc.com 被加到了 Clash for Windows 的 bypass 里了 |
| 17 s609926202 OP @fndroid #16 是的,这个 bypass 我理解是不走代理,理解错了吗? |
| 18 fndroid 2021-09-27 21:54:58 +08:00 @s609926202 加到 bypass 就会触发上面说的 cors 规则,因为被代理的域名都是 local,而你 bypass 的域名是 public |
 | 19 wujunchuan2008 2021-09-29 02:19:31 +08:00 via iPhone 1 这个开关可以关闭这个特性 chrome://flags/#block-insecure-private-network-requests |
 | 20 cindy1024 2021-09-29 14:39:03 +08:00 @wujunchuan2008 感谢 |
Select Language