Apache 403 по запросу POST, когда указан тип содержимого

У меня проблема с запросом POST, когда указан тип содержимого.

Я использую как почтальон, так и php для выполнения запроса, это код страницы, к которому я пытаюсь добраться:

<?php 

  $data = array ('promptIfUnknown' => true, 'userAgent' => $_SERVER ['HTTP_USER_AGENT']);

  header("Content-Type: application/json");   
  header("Access-Control-Allow-Origin: *");   
  header("Access-Control-Allow-Headers: X-Requested-With, Content-Type, Origin, Cache-Control, Pragma, Authorization, Accept, Accept-Encoding, Accept-Language, User-Agent");   
  header('Access-Control-Allow-Methods: POST, GET, OPTIONS');   
  header("AMP-Access-Control-Allow-Source-Origin: https://example.net");  
  header("Access-Control-Allow-Credentials: true");   
  header("Access-Control-Expose-Headers: AMP-Access-Control-Allow-Source-Origin");   
  header("AMP-Redirect-To: https://example.net/index.php");   
  header("Access-Control-Expose-Headers: AMP-Access-Control-Allow-Source-Origin"); 


  echo json_encode($data);

На почтальоне я могу выполнить запрос с любым заголовком, поэтому можно получить результат, но когда указан заголовок, я получаю 403.

Это выдержка из моего.htaccess

# ######################################################################
# # CROSS-ORIGIN                                                       #
# ######################################################################

# ----------------------------------------------------------------------
# | Cross-origin requests                                              |
# ----------------------------------------------------------------------

# Allow cross-origin requests.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
# http://enable-cors.org/
# http://www.w3.org/TR/cors/

<IfModule mod_headers.c>
    Header add Access-Control-Allow-Origin "*"
    Header add Access-Control-Allow-Headers "origin, x-requested-with, Content-Type, accept, accept-encoding, accept-language, user-agent"
    Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"

 </IfModule>

# ----------------------------------------------------------------------
# | Cross-origin images                                                |
# ----------------------------------------------------------------------

# Send the CORS header for images when browsers request it.
#
# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
# https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html

<IfModule mod_setenvif.c>
    <IfModule mod_headers.c>
        <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
            SetEnvIf Origin ":" IS_CORS
            Header set Access-Control-Allow-Origin "*" env=IS_CORS
        </FilesMatch>
    </IfModule>
</IfModule>

# ----------------------------------------------------------------------
# | Cross-origin web fonts                                             |
# ----------------------------------------------------------------------

# Allow cross-origin access to web fonts.

<IfModule mod_headers.c>
    <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
        Header set Access-Control-Allow-Origin "*"
    </FilesMatch>
</IfModule>

# ----------------------------------------------------------------------
# | Cross-origin resource timing                                       |
# ----------------------------------------------------------------------

# Allow cross-origin access to the timing information for all resources.
#
# If a resource isn't served with a `Timing-Allow-Origin` header that
# would allow its timing information to be shared with the document,
# some of the attributes of the `PerformanceResourceTiming` object will
# be set to zero.
#
# http://www.w3.org/TR/resource-timing/
# http://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/

# <IfModule mod_headers.c>
#     Header set Timing-Allow-Origin: "*"
# </IfModule>


# ######################################################################
# # ERRORS                                                             #
# ######################################################################

# ----------------------------------------------------------------------
# | Custom error messages/pages                                        |
# ----------------------------------------------------------------------

# Customize what Apache returns to the client in case of an error.
# https://httpd.apache.org/docs/current/mod/core.html#errordocument

ErrorDocument 404 /404.html

# ----------------------------------------------------------------------
# | Error prevention                                                   |
# ----------------------------------------------------------------------

# Disable the pattern matching based on filenames.
#
# This setting prevents Apache from returning a 404 error as the result
# of a rewrite when the directory with the same name does not exist.
#
# https://httpd.apache.org/docs/current/content-negotiation.html#multiviews

Options -MultiViews

Это заголовки, которые пытается отправить Chrome

Host: example.net
Connection: keep-alive
Content-Length: 32
Accept: application/json
Origin: https://www.example.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Content-Type: text/plain;charset=utf-8
DNT: 1
Referer: https://www.example.net/index.amp.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en,fr-FR;q=0.9,fr;q=0.8,en-US;q=0.7
Cookie: some cookies here

Чего не хватает?

0 ответов

Другие вопросы по тегам