更新 chrome 94.0.4606.61 后，访问网站出现 CORS 错误！

› Vimium · 在 Chrome 里使用 vim 快捷键

This topic created in 1691 days ago, the information mentioned may be changed or developed.

就是请求 CDN 资源，会发生错误。

我的网站是：www.abc.com

请求： https://cdn.jsdelivr.net/npm/luckysheet/dist/plugins/js/plugin.js 之类的资源，网络中提示：CORS 错误，控制台提示：

Access to CSS stylesheet at 'https://cdn.jsdelivr.net/npm/luckysheet/dist/assets/iconfont/iconfont.css' from origin 'http://www.abc.com' has been blocked by CORS policy: The request client is not a secure context and the resource is in more-private address space `local`.

查询网上都是在 nginx 层处理，如：

add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS'

已经在 www.abc.com 的 nginx 配置中进行如上设置，还是提示 CORS 设置？

请问如何正确的处理？

Supplement 1 · Sep 27, 2021

又一次被坑爹的 Clash For Windows 坑了，关闭代理后，访问正常。。。

这他(>^ω^<)喵的、

20 replies • 2021-09-29 14:39:03 +08:00

mercury233

Sep 27, 2021

chrome 这不允许不安全网页加载安全资源是什么鬼思路，这年头用不安全连接的都有苦衷，不允许加载安全资源基本就是逼人全换 http

rateltalk

Sep 27, 2021

@mercury233 是 http 导致的？

cairnechen

Sep 27, 2021

@s609926202

听上去好像意思是 http 的网页不能加载 https 的资源，比如图片？

mercury233

Sep 27, 2021

@s609926202 没有找到相关的资料，可能是 chrome 的 bug，或者你与 cdn.jsdelivr.net 的连接存在问题。把你的 www.abc.com 升级到 https 很可能也不能解决

rateltalk

Sep 27, 2021

@cairnechen 没有加载图片，只加载了 js 资源

oldshensheep

Sep 27, 2021

这里面说的很清楚
https://developer.chrome.com/blog/private-network-access-update/

mercury233

Sep 27, 2021

@oldshensheep 但 jsdelivr 是公开的网站，为什么被 chrome 归类成 more-private 了

cairnechen

Sep 27, 2021

@s609926202

举个例子而已

cairnechen

Sep 27, 2021

@cairnechen

#3 是回复 #2 对#1 的回复

Vegetable

Sep 27, 2021

以前是 https 页面不能加载 http 资源，不能降低安全等级，很好。
现在是 http 网页不能加载 https 资源，就有点反直觉了

oldshensheep

Sep 27, 2021

Chrome will introduce the following changes:

Blocking requests to private networks from insecure public websites starting in Chrome 94.

Introducing a deprecation trial which will end in Chrome 101. It will allow developers to request a time extension for chosen origins, which will not be affected during the deprecation trial.

Introducing a Chrome policy which will allow managed Chrome deployments to bypass the deprecation permanently. Available in Chrome 92.

What is Private Network Access

Private Network Access (formerly known as CORS-RFC1918) restricts the ability of websites to send requests to servers on private networks. It allows such requests only from secure contexts. The specification also extends the Cross-Origin Resource Sharing (CORS) protocol so that websites now have to explicitly request a grant from servers on private networks before being allowed to send arbitrary requests.

楼主开了代理导致访问那个 cdn 变成了本地地址？

oldshensheep

Sep 27, 2021

看来还真是代理导致 ip 变了。（其实也可以看作没变，看具体实现）
In the current implementation of this specification in Chromium, proxies influence the address space of resources they proxy. **Specifically, resources fetched via proxies are considered to have been fetched from the proxy’s IP address itself.**
通过代理获取的资源，被看作是从代理的 ip 那里获取的……
https://wicg.github.io/private-network-access/#proxies

mercury233

Sep 27, 2021

@oldshensheep 已经报 BUG 了，目前这个策略只对 HTTP 网站生效，将来必然会扩展到所有网站，那时使用代理才能加载的那些 cdn 资源恐怕就都会被拦了

oldshensheep

Sep 27, 2021

@mercury233 应该不会对 https 生效，因为 chrome 提到的解决办法就是把网站升级到 https 。
搞这个东西主要是因为当前 http 的网站可以随意访问本地网络中的服务，如果你有一个路由器是弱口令，网站就可以把你路由器控制了。
升级到 https 就不行了，https 虽然可以访问 localhost 但是不能访问本地网络的其他地址。除非……看链接。
https://developer.chrome.com/blog/private-network-access-update/#accessing-private-ip-addresses