fetch 加上 credentials 字段

browser/proxy/src/sw.js

@@ -33,7 +33,7 @@ async function forward(req, urlObj, redirNum = 0) {
     mode: 'cors',
     method: req.method,
     headers: req.headers,
-    // credentials: req.credentials,
+    credentials: req.credentials,
     signal: req.signal,
     // referrerPolicy: 'no-referrer',
     referrer: req.referrer,

server/nginx.conf

@@ -181,6 +181,7 @@ http {
       if ($_site = '') {
         return            404  "unknown site";
       }
+
       include             proc-hdr.conf;
 
       # 非 JS 发送的请求，返回安装 ServiceWorker 的页面
@@ -198,11 +199,6 @@ http {
       }
 
       # CORS preflight
-      set                 $_acao  $http_origin;
-      if ($_acao = '') {
-        # TODO: 有没有不存在 origin 字段的情况？
-        set               $_acao  '*';
-      }
       if ($request_method = 'OPTIONS') {
         more_set_headers
           'access-control-allow-origin: $_acao'

server/proc-hdr.conf

@@ -19,6 +19,7 @@ set $_port          '';
 set $_ref           '';
 set $_ori           $http_origin;
 
+set $_acao          '';
 
 # 获取并删除 flag 参数
 # 参数格式: isHttp .. port 
@@ -33,6 +34,14 @@ if ($args ~
 # TODO：未考虑协议和端口，下面的 cors 也有这问题
 if ($http_referer ~ ^https://(?<_vhost>[^/]+)(?<_path>.*)) {
   set               $_ref       https://$_vhost_to_rhost$_path;
+  set               $_acao      https://$_vhost;
+}
+
+if ($_ori) {
+  set               $_acao      $_ori;
+}
+if ($_acao = '') {
+  set               $_acao      '*';
 }
 
 # ServiceWorker 的 fetch 强制 cors 模式，
@@ -59,7 +68,7 @@ more_clear_headers
 
 more_set_headers
   'access-control-allow-credentials: true'
-  'access-control-allow-origin: *'
+  'access-control-allow-origin: $_acao'
   'strict-transport-security: max-age=99999999; includeSubDomains; preload'
 ;