问题
I have a strange issue in FF which is not reproduced in Chrome: websocket connection to another origin does not work when using SSL connection.
My Rails app is running on https://wax.lvh.me:3000 and socket.io node JS app is running on https://wax.lvh.me:3001. When I try to connect to the socket from the Rails app in FF I see the following warnings in the browser's dev console:
When I open the Network tab I see the following response headers - notice that there are no access-control headers in the response:
I tried to use the following recipes from the others SO answers:
Set up origins to '*:*' from this answer
io = require('socket.io').listen(server)
io.set('origins', '*:*');
Set up origins to a function from this answer
io.origins (origin, callback) =>
if origin.match(/lvh\.me/)
return callback(null, true)
callback('Origin not allowed', false)
But nothing helped me to fix this issue so far
Notice that access-control headers are set correctly in Chrome:
I use the following browser and tool versions:
- Firefox - 63.0.3 (64-bit)
- Google Chrome - Version 73.0.3683.39 (Official Build) beta (64-bit)
- Socket.io - 2.2.0
Do you have any ideas how to set up CORS in socket.io for FF correctly?
回答1:
There was everything OK with CORS configuration in our socket.io app
The problem was with SSL certificates: our configuration was missing ca (intermediate certificate) option in the HTTPS server initialization. We fixed the issue with this code:
require('https').createServer({
ca: fs.readFileSync(process.env.SSL_CA), // this config was missing
cert: fs.readFileSync(process.env.SSL_CERT),
key: fs.readFileSync(process.env.SSL_KEY)
})
As nodeJS create Secure Context documentation says:
ca
string|string[]|Buffer|Buffer[]. Optionally override the trusted CA certificates. Default is to trust the well-known CAs curated by Mozilla. Mozilla's CAs are completely replaced when CAs are explicitly specified using this option. The value can be a string or Buffer, or an Array of strings and/or Buffers. Any string or Buffer can contain multiple PEM CAs concatenated together. The peer's certificate must be chainable to a CA trusted by the server for the connection to be authenticated. When using certificates that are not chainable to a well-known CA, the certificate's CA must be explicitly specified as a trusted or the connection will fail to authenticate. If the peer uses a certificate that doesn't match or chain to one of the default CAs, use the ca option to provide a CA certificate that the peer's certificate can match or chain to. For self-signed certificates, the certificate is its own CA, and must be provided. For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE", "X509 CERTIFICATE", and "CERTIFICATE".
来源:https://stackoverflow.com/questions/54754146/socket-io-cross-origin-request-blocked-the-same-origin-policy-disallows-readin