php – mengapa panggilan balik ajax ini ke titik akhir REST masih diblokir oleh ‘nosniff’ karena ketidakcocokan tipe MIME (“application/json”)?

by Posted on

saya menjalankan WP di server nginx

saya telah menyiapkan titik akhir istirahat, yang ditargetkan dalam panggilan balik ajax

jika saya mengaktifkan ‘nosniff’ khas XCTO,

more_set_headers   "X-Content-Type-Options: nosniff";

di konfigurasi server, itu memblokir

"due to MIME type (“application/json”) mismatch (X-Content-Type-Options: nosniff)"

jika saya menghapus header XCTO, masalahnya hilang

saya melewatkan konten yang tidak diketik dengan benar di halaman saya

dengan templat ini,

<?php

function MY_login_ajax_action_callback( $request ){
    $response = array(
        'data'  => 'success',
        'supplemental' => array(
            'message' => 'success'
        )
    ) ;
    $response = serialize($response);
    header('Content-Type: text/javascript; charset=utf-8');
    $response = json_encode($response);

    return rest_ensure_response( $response );
}
add_action(
    'rest_api_init',
    function () {
        register_rest_route(
            'test-rest/v1',
            '/verify/',
            array(
                'methods'  => 'POST',
                'callback' => 'my_ajax_action_callback'
            )
        );
    }
);

function add_footer_js() {
    $myAjaxData = [
        'root'            => esc_url_raw( rest_url() ),
        'route'           => 'test-rest/v1/verify/',
        'nonce'           => wp_create_nonce( 'wp_rest' ),
        'success'         => 'success!',
        'failure'         => 'failure!',
        'app_usr'         => MY_APP_USR,
        'app_pwd_name'    => MY_APP_PWD_NAME,
        'app_pwd'         => MY_APP_PWD,
        'app_token'       => MY_APP_TOKEN,
    ];
?>

    <script type="application/json" id="myAjaxData" >
        <?php echo json_encode( $myAjaxData, JSON_UNESCAPED_SLASHES ) ?>
    </script>

    <script type="text/javascript">
        var myAjaxData = JSON.parse(document.getElementById('myAjaxData').textContent);
        console.log('myAjaxData:    ' + JSON.stringify(myAjaxData, null, "\t"));

    jQuery( "#myform" ).submit(function(e) {
        var myE = e;
        const mySubmitContinue="yes";
        if ( mySubmitContinue === 'no') {
            alert( "Handler for .submit() : HALT" );
            e.preventDefault();
        } else {
            alert( "Handler for .submit() : CONTINUE" );
        }
    });

    jQuery('#wp-submit').on('click', function(e) {
        var myE = e;
        var formData = jQuery('#myform').serializeArray();
        var data = {
            action: 'my_ajax_action',
            dataForPHP: formData
        };
        var myAjaxUrl = myAjaxData.root + myAjaxData.route;

        jQuery.ajax({

            url: myAjaxUrl,
            method: 'POST',
            dataType: 'jsonp',
            contentType: 'text/javascript; charset=UTF-8',

            async: false,
            data: data,
            cache: false,
            crossDomain: true,
            headers: {
                'Cache-Control': 'no-cache, no-store, must-reverify',
                'Pragma': 'no-cache',
                'Expires': '0'
            },
            beforeSend: function( xhr ) {
                xhr.overrideMimeType( "text/javascript; charset=UTF-8" );
                xhr.setRequestHeader('Authorization', 'Basic ' + myAjaxData.app_token);
            },
        })
        .done(function ( response ) {
            console.log( 'AJAX success:    ' + JSON.stringify(response, null, "\t") );
        })
        .fail(function ( response ) {
            console.log( 'AJAX error:      ' + JSON.stringify(response, null, "\t") );
        })
        .always(function( response ) {
            //
        });

    });
    </script>
<?php
    return;
}
add_action('wp_footer', 'add_footer_js' );

if ( ! is_user_logged_in() ) {
    $args = array (
        'form_id'        => 'myform',
        'redirect'       => home_url(),
        'label_username' => __( 'User: ' ),
        'label_password' => __( 'Pass: ' ),
        'label_log_in'   => __( 'LogIn' ),
        'remember'       => false,
        'value_remember' => false
    );
    wp_login_form( $args );
} else {
    nocache_headers();
    wp_safe_redirect( home_url() );
    exit();
}

sedang dimuat, di konsol

myAjaxData:    {
    "root": "https://example.com/wp-json/",
    "route": "my-rest/v1/verify/",
    "nonce": "abcde12345",
    "success": "success!",
    "failure": "failure!",
    "app_usr": "myadmin",
    "app_pwd_name": "my-login-rest-api",
    "app_pwd": "xxx...xxx",
    "app_token": "cfa...Cf="
}

lalu, di klik untuk mengirim, di konsol

The resource from “https://example.com/wp-json/my-rest/v1/verify/?callback=jQuery5640465132067422652_1679170534810&action=my_ajax_action&dataForPHP%5B0%5D%5Bname%5D=log&dataForPHP%5B0%5D%5Bvalue%5D=myadmin&dataForPHP%5B1%5D%5Bname%5D=pwd&dataForPHP%5B1%5D%5Bvalue%5D=yyy...yyy&dataForPHP%5B2%5D%5Bname%5D=redirect_to&dataForPHP%5B2%5D%5Bvalue%5D=https%3A%2F%2Fexample.com&_=1679170534811” was blocked due to MIME type (“application/json”) mismatch (X-Content-Type-Options: nosniff).

AJAX error:      {
    "readyState": 4,
    "status": 404,
    "statusText": "error"
}

dan peringatan

"Handler for .submit() : CONTINUE"

apa yang diblokir? di suatu tempat di sana perlu spesifikasi konten lain. tapi apa dan dimana?

Published by Mimin Tikcode

Leave a Reply

Your email address will not be published. Required fields are marked *