ASANA API和访问控制 - *头 [英] ASANA API and Access-Control-* headers

问题描述

我写了一些code调用来自浏览器的体位法API。从浏览器发出的所有请求XDR与期权的调用开始得到了接入控制 - *头，但是体位服务器似乎并没有回应他们不会：

I am writing some code to call the Asana API from the browser. XDR requests emitted from the browsers all begin with a call to OPTIONS to get the Access-Control-* headers, but Asana server does not seem to response to them:

Request URL:https://app.asana.com/api/1.0/users?opt_pretty=true&opt_fields=name,email
Request Method:OPTIONS
Status Code:404 Object Not Found
Request Headers:
  Accept:*/*
  Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
  Accept-Encoding:gzip,deflate,sdch
  Accept-Language:fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
  Access-Control-Request-Headers:origin, authorization, accept
  Access-Control-Request-Method:GET
  Connection:keep-alive
  Host:app.asana.com
  Origin:null
  User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1129.0 Safari/536.11

Query String Parameters:
  opt_pretty:true
  opt_fields:name,email

Response Headers:
  Content-Length:82
  Content-Type:application/json
  Date:Sat, 12 May 2012 22:23:19 GMT
  Server:nginx/0.7.67
  ...

响应头应该包含这样的内容：

Response headers should contain something like:

Access-Control-Allow-Headers: Accept, Authorization, Content-Type
Access-Control-Allow-Methods: GET,PUT,POST,DELETE
Access-Control-Allow-Origin: *

或者是有什么请求API时，我很想念？

Or is there anything that I am missing when requesting the API?

推荐答案

（我在体位工作）

体式API目前不返回这些标题，因为它不支持OAuth的，不能安全验证来自客户端的请求。只有安全返回这些头一个验证的客户端，否则服务将开放跨站点脚本攻击。 OAuth是功能列表在未来予以支持。

The Asana API does not return these headers right now because it does not support OAuth and cannot securely authenticate requests from clients. It is only secure to return these headers for an authenticated client, otherwise the service would be open to cross-site scripting attacks. OAuth is on the list of features to be supported in the future.

这篇关于ASANA API和访问控制 - *头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！