ASANA API和访问控制 - *头 [英] ASANA API and Access-Control-* headers
问题描述
我写了一些code调用来自浏览器的体位法API。从浏览器发出的所有请求XDR与期权的调用开始得到了接入控制 - *头,但是体位服务器似乎并没有回应他们不会:
I am writing some code to call the Asana API from the browser. XDR requests emitted from the browsers all begin with a call to OPTIONS to get the Access-Control-* headers, but Asana server does not seem to response to them:
Request URL:https://app.asana.com/api/1.0/users?opt_pretty=true&opt_fields=name,email
Request Method:OPTIONS
Status Code:404 Object Not Found
Request Headers:
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Access-Control-Request-Headers:origin, authorization, accept
Access-Control-Request-Method:GET
Connection:keep-alive
Host:app.asana.com
Origin:null
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1129.0 Safari/536.11
Query String Parameters:
opt_pretty:true
opt_fields:name,email
Response Headers:
Content-Length:82
Content-Type:application/json
Date:Sat, 12 May 2012 22:23:19 GMT
Server:nginx/0.7.67
...
响应头应该包含这样的内容:
Response headers should contain something like:
Access-Control-Allow-Headers: Accept, Authorization, Content-Type
Access-Control-Allow-Methods: GET,PUT,POST,DELETE
Access-Control-Allow-Origin: *
或者是有什么请求API时,我很想念?
Or is there anything that I am missing when requesting the API?
推荐答案
(我在体位工作)
体式API目前不返回这些标题,因为它不支持OAuth的,不能安全验证来自客户端的请求。只有安全返回这些头一个验证的客户端,否则服务将开放跨站点脚本攻击。 OAuth是功能列表在未来予以支持。
The Asana API does not return these headers right now because it does not support OAuth and cannot securely authenticate requests from clients. It is only secure to return these headers for an authenticated client, otherwise the service would be open to cross-site scripting attacks. OAuth is on the list of features to be supported in the future.
这篇关于ASANA API和访问控制 - *头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!