Cross-Origin Read Blocking (CORB) caused by nginx proxy · Issue #245 · caprover/caprover

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

慷慨的白开水 · 玻利维亚政局突变恢复稳定难言乐观-新华网· 1 月前 ·

星星上的麻辣香锅 · 关于青梅竹马是消防员未增删樱花带翻译的信息 ...· 1 月前 ·

气宇轩昂的椅子 · 《蜘蛛侠3：英雄无归》精彩视效解析_新闻中心 ...· 3 月前 ·

悲伤的野马 · 佛要救你_纯粹的净土法门_不怀疑不夹杂一向专 ...· 3 月前 ·

任性的风衣 · 国君机械：工控自动化业绩稳步增长，国产替代有望加速· 3 月前 ·

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem
( Note : I've changed my actually domain name)
My static site hosted on mydomain.com cannot make POST requests to server at app.api.mydomain.com using fetch() due to Cross-Origin Read Blocking (CORB) . GET seems to work alright. When I make POST request, I get this error in Chrome:

Cross-Origin Read Blocking (CORB) blocked cross-origin response https://app.api.mydomain.com/core/v1/create_token with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
Note the mime type. It gets changed to text/html by nginx proxy, I guess
Firefox:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://app.api.mydomain.com/core/v1/create_token. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
The server is a nodeJS server which sends a JSON response with res.json() but it seems the final Content-Type received in the browser is  text/html which violates Cross-Origin Read Blocking (CORB). Especially when JSON response it sent with a text/html content type.
My guess it the nginx proxy modifies the response header. I've gone through the nginx config file but can't find where the issue is both in the global and app specific one. It don't really understand why the response it text/html cus its works when I host it outside captainduckduck (without a proxy).
          This is unrelated to CaptainDuckDuck. It's related to how you set your headers. For example see:

https://stackoverflow.com/questions/45611400/cross-origin-request-blocked-the-same-origin-policy-disallows-reading-the-remot
This might not exactly be the answer you're looking for. But it should give you a starting point. I suggest you post your question on StackOverflow and tag it with nodejs and CORS
  not-caprover-specific
  Not related to CapRover. Related to Docker, nginx, other apps, and etc
 label
    Jun 11, 2018
          No, default nginx config via CaptainDuckDuck does not add/modify any headers to the response. It only add some headers to the proxy request (not the response), which are here:

https://github.com/githubsaturn/captainduckduck/blob/master/app-backend/src/template/server-block-conf.ejs#L57
Therefore, if you have set headers in your nodejs app, you will see those headers getting passed to the client.
Also, if you need to modify any default nginx property for a specific need, you can always edit the default one by going to the Captain's control panel, your app's settings and add any headers you want, for example, you can add the following lines:
        add_header 'Access-Control-Allow-Origin' "$http_origin" always;
        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
just after proxy_set_headers. But my guess is that you won't need them.
          To debug your app, just open chrome dev console, and you will see the OPTIONS request that goes out before the POST request. You will see whether or not it has the right access control headers or not.
My guess is in your source code you are not setting the headers on POST requests.
          Try posting your question in the telegram channel. Maybe other people will be able to help:

You can also post your domains here and i can have a look at it.