XHR不会因为&QUOT工作;产地不受访问控制允许来源&QUOT允许的; [英] XHR doesn't work because "Origin is not allowed by Access-Control-Allow-Origin"
问题描述
我正在一个API的服务器使用Rails 3至极的是pretty方便到目前为止,但我跨错误运行所有的时间,我不知道阉那是因为我的Apache安装或Rails应用程序。
I'm working on a API-Server with Rails 3 wich is pretty handy so far but I'm running across a error all the time and I'm not sure wether it is because of my Apache Setup or the Rails App.
当我尝试做一个HTTP DELETE或 HTTP PUT请求://sample.domain/uri/id 通过XHR,卷曲或HTTP-Client.app Rails或者Apache的404或403响应(取决于客户端,我想是因为CORS)和Safari的开发者控制台
When I try to do a HTTP DELETE or PUT request on http://sample.domain/uri/id via XHR, curl or HTTP-Client.app Rails or Apache responds with 404 or 403 (depends on the client. I think because of cors) and the Safari developer console responds with
XMLHttpRequest cannot load http://sample.domain/uri/id. Origin http://web.client/ is not allowed by Access-Control-Allow-Origin.
我使用mod_rack又名上的Apache2 mod_rails和我的虚拟主机实际上包含了这一点:
I'm using mod_rack aka mod_rails on a Apache2 and my vhost actually contains this:
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods POST,GET,DELETE,PUT,OPTIONS
Header set Access-Control-Allow-Headers X-Requested-With
Apache的error_log中,出现以下错误响应:
The Apache error_log responds with the following error:
[Sat Oct 30 01:37:34 2010] [error] [client 22.222.222.22] client denied by server configuration: /path/to/rails/folder/public, referer: http://web.client/
Rails的development.log与响应
Rails development.log responds with
Started OPTIONS "/uri/id" for 84.190.123.140 at 2010-10-30 03:18:42 +0200
ActionController::RoutingError (No route matches "/uri/id"):
在这里,我也不知道为什么OPTIONS调用来低谷,因为我以为这只会是preflight并确保没有对期权没有路由,因为我想回应删除
And here I'm nor sure why the OPTIONS call comes trough because I thought this would only be the preflight and for sure there is no route for OPTIONS because I want to respond to DELETE
如果您有关于如何解决这个问题请与我分享。任何想法
If you have any idea on how to fix this problem please share it with me.
非常感谢大卫
推荐答案
您需要向OPTIONS方法作出回应。它发送的前的实际DELETE方法,以确定是否发送DELETE命令是允许的 - 被称为的 preflighting 。您可以控制权限有多长与访问控制有效 - 最大年龄头。
You need to respond to the OPTIONS method. It is sent before the actual DELETE method to determine if sending a DELETE command is allowed - known as preflighting. You can control how long the permissions are valid with a Access-Control-Max-Age header.
在你的回应选项就是你发送的访问控制允许来源等。
In your response to OPTIONS is where you send the Access-Control-Allow-Origin, etc.
试想一下,如果事实并非如此。你会后发送ACAO的 的你已经删除的对象。这可能会或可能不会被允许。
Imagine if that wasn't the case. You'd be sending ACAO after you've already deleted the object. Which may or may not have been allowed.
有关原始服务器通常最好要么创建一个可以发布/删除或鹦鹉回到请求服务器的域名服务器的实际白名单。一个*实质上是禁用了CORS并打开了用户对各种攻击。
For the origin server it is often best to either create an actual white list of servers that can post/delete, or parrot back the requesting server's domain name. A "*" essentially disables CORS and opens up the user to all sorts of attacks.
这篇关于XHR不会因为&QUOT工作;产地不受访问控制允许来源&QUOT允许的;的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
