百度Web服务API跨域的Cross-Origin Read Blocking (CORB) blocked cross-origin response报错两种解决方案


        $(function () {
            var url = "http://api.map.baidu.com/place/v2/search?query=ATM机&tag=银行&region=北京&output=json&ak=F552bedbee2ec8fa6bae7b7a08201&callback=callback";

                type: "get",
                async: false,
                url: url,
                dataType: "jsonp",
                jsonp: "callback",
                jsonpCallback: "callback",
                success: function (data) {
                    var json = JSON.stringify(data);
                error: function (err) {


        // 提供jsonp服务的url地址;
        var url = "http://api.map.baidu.com/place/v2/search?query=ATM机&tag=银行&region=北京&output=json&ak=F552bedbee2ec8fa6bae7b7a08201&callback=callback";

        // 创建script标签,设置其属性;
        var script = document.createElement("script");
        script.setAttribute("src", url);

        // 得到查询结果后的回调函数;
        var callback = function (data) {
            var json = JSON.stringify(data);


已标记关键词 清除标记
最近学习一个flask项目,最后支付环节出问题,跳转到支付宝的接口后一直报 Cross-Origin Read Blocking (CORB) blocked cross-origin response, 还有 A cookie associated with a cross-site resource at <URL> was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>. 要么就显示系统繁忙,请稍后重试 ![图片说明](https://img-ask.csdn.net/upload/202007/09/1594294659_99158.png) 自己上网搜问题做过下面的处理 1.chrome://flags 中修改**SameSite by default cookie**s和**Cookies without SameSite must be secure**两项为disabled 2.安装cors包,初始化app**CORS(app, supports_credentials=True)** 以上均没有效果 下面是代码 ``` # 创建支付宝sdk的工具对象 alipay_client = AliPay( appid="2016102100733966", app_notify_url=None, # 默认回调url app_private_key_string=open(os.path.join(os.path.dirname(__file__), "keys/app_private_key.pem"), "r").read(), # 私钥 alipay_public_key_string=open(os.path.join(os.path.dirname(__file__), "keys/alipay_public_key.pem"), "r").read(), # 支付宝的公钥,验证支付宝回传消息使用,不是你自己的公钥, sign_type="RSA2", # RSA 或者 RSA2 debug=True # 默认False ) # 手机网站支付,需要跳转到https://openapi.alipaydev.com/gateway.do? + order_string order_string = alipay_client.api_alipay_trade_wap_pay( out_trade_no=order.id, # 订单编号 total_amount=str(order.amount / 100.0), # 总金额 subject="爱家租房 %s" % order.id, # 订单标题 return_url="", # 返回的连接地址 notify_url=None # 可选, 不填则使用默认notify url ) # 构建让用户跳转的支付连接地址 pay_url = alipay_client._gateway + "?" + order_string return jsonify(errno=RET.OK, errmsg="OK", data={"pay_url": pay_url}) ``` 前端js ``` $.ajax({ url: "/api/v1.0/orders/" + orderId + "/payment", type: "post", dataType: "json", headers: { "X-CSRFToken": getCookie("csrf_token"), }, success: function (resp) { if ("4101" == resp.errno) { location.href = "/login.html"; } else if ("0" == resp.errno) { // 引导用户跳转到支付宝连接 location.href = resp.data.pay_url; } } }); ```
<div><p>Historically, browsers had rather lax Content-Type checking. We’ve been able to introduce stricter checks in some cases (e.g. blocking mislabeled scripts and stylesheets in presence of the nosniff header [1]) and unfortunately failed in some other cases (e.g. Firefox’s attempt to block mislabeled images in presence of the nosniff header [2, 3]).</p> <p>Given Spectre, lax handling of mislabeled cross-origin responses carries new, significant security risks. We've developed a proposal, which we're calling Cross-Origin Read Blocking (CORB), which increases the strictness of cross-origin fetching semantics while trying to still stay web-compatible. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with <a href="https://www.chromium.org/Home/chromium-security/site-isolation">Site Isolation</a>, it can keep such data out of untrusted renderer processes entirely, helping even against speculative side channel attacks.</p> <p>We're looking to collaborate with everyone on an interoperable set of changes to the web platform, so that blocking of cross-origin responses can be done consistently across all the browsers. Please take a look at the proposal and its compatibility impact in the <a href="https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md">CORB explainer</a> and provide feedback in this thread on the algorithm itself, as well as on the next steps for trying to encode CORB into the relevant specs for web standards.</p> <p>We believe that CORB has a reasonably low risk of breaking existing websites (see the “<a href="https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#CORB-and-web-compatibility">CORB and web compatibility</a>” section in the explainer). We’ve spent a considerable amount of time trying to tweak CORB to minimize compatibility risk (e.g. introducing confirmation sniffing and skipping sniffing for HTML comments since JS can have them too) and are continuing to consider additional tweaks to minimize the risk further (e.g. we are trying to gather data that might inform how to handle text/plain and range requests). The remaining risk is mostly for nosniff responses labeled with a wrong MIME type - as pointed out above, stricter handling of such responses has always been desirable, but the Spectre threat makes this more urgent.</p> <p>[1] <a href="https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff?">https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff?</a> [2] <a href="https://github.com/whatwg/fetch/issues/395">https://github.com/whatwg/fetch/issues/395</a> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1302539</p><p>该提问来源于开源项目:whatwg/fetch</p></div>
©️2020 CSDN 皮肤主题: 精致技术 设计师:CSDN官方博客 返回首页