修复跨域报错

2026-03-30 12:45:48 +08:00
parent e4e5a5cae2
commit a0d114fbc4
1 changed files with 22 additions and 6 deletions
--- a/app/common/middleware/AllowCrossDomain.php
+++ b/app/common/middleware/AllowCrossDomain.php
@@ -21,6 +21,25 @@ class AllowCrossDomain implements MiddlewareInterface
        'Access-Control-Allow-Headers'     => '*',
    ];

+    /**
+     * 读取预检请求中的 Access-Control-Request-Headers（经 CDN/反代时 Request 可能取不到，补读 $_SERVER）
+     */
+    private static function accessControlRequestHeaders(Request $request): string
+    {
+        $reqHeaders = $request->header('access-control-request-headers', '');
+        if (is_array($reqHeaders)) {
+            $reqHeaders = $reqHeaders[0] ?? '';
+        }
+        if (is_string($reqHeaders) && trim($reqHeaders) !== '') {
+            return trim($reqHeaders);
+        }
+        $fromServer = $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'] ?? '';
+        if (is_string($fromServer) && trim($fromServer) !== '') {
+            return trim($fromServer);
+        }
+        return '';
+    }
+
    /**
     * 返回 CORS 预检（OPTIONS）响应，供路由直接调用（Webman 未匹配路由时不走中间件）
     */
@@ -30,7 +49,7 @@ class AllowCrossDomain implements MiddlewareInterface
            'Access-Control-Allow-Credentials' => 'true',
            'Access-Control-Max-Age'            => '1800',
            'Access-Control-Allow-Methods'      => 'GET, POST, PUT, DELETE, PATCH, OPTIONS',
-            'Access-Control-Allow-Headers'      => 'Content-Type, Authorization, batoken, ba-user-token, think-lang, lang',
+            'Access-Control-Allow-Headers'      => 'Content-Type, Authorization, batoken, ba-user-token, think-lang, lang, server',
        ];
        $origin = $request->header('origin');
        if (is_array($origin)) {
@@ -49,11 +68,8 @@ class AllowCrossDomain implements MiddlewareInterface
            if ($allowed) {
                $header['Access-Control-Allow-Origin'] = $origin;
                // 回显浏览器在预检中声明的请求头，避免白名单遗漏导致 CORS 失败
-                $reqHeaders = $request->header('access-control-request-headers', '');
-                if (is_array($reqHeaders)) {
-                    $reqHeaders = $reqHeaders[0] ?? '';
-                }
-                if (is_string($reqHeaders) && trim($reqHeaders) !== '') {
+                $reqHeaders = self::accessControlRequestHeaders($request);
+                if ($reqHeaders !== '') {
                    $header['Access-Control-Allow-Headers'] = $reqHeaders;
                }
            }