跨域AJAX withCredentials,PHP返回标头content-length,但没有内容 [英] Cross-domain AJAX withCredentials, PHP returns header content-length, but no content
问题描述
我正在尝试从一个域上的页面向另一个域上的PHP服务器发送跨域请求.没有凭据,一切都可以正常工作(我需要一个会话),但是一旦添加凭据,它就无法工作.
I am trying to send a cross domain request from a page on one domain to a PHP server on an other domain. Everything works fine without credentials (I need a session) but as soon as I add credentials, it doesn't work.
这是JS代码:
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://phpserver.net',true);
xhr.withCredentials = true ;
xhr.onreadystatechange = function(e) {
if (this.readyState == 4 && this.status == 200) {
alert(this.responseText);
}
}
xhr.send();
请记住,它无需凭据即可工作.没有警报.所以我用Firebug检查了网络:
Please remember that it works without credentials. There is no alert. So I inspected the network with Firebug:
该请求已由服务器正确处理,已通过HTTP代码200接收到,但没有任何内容.我检查了标题:
The request is correctly handled by the server, it's received with an HTTP code 200 but there is no content. I checked the headers :
HTTP/1.1 200 OK
Date: Fri, 14 Jun 2013 17:20:19 GMT
Server: Apache/2.4.2 (Win64) PHP/5.4.3
X-Powered-By: PHP/5.4.3
Access-Control-Allow-Origin: *
access-control-allow-credentials: true
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: key=441wqr3e4cf2456c763c1ea173aa06b5ad284e5f38; expires=Fri, 28-Jun-2013 17:20:19 GMT
key2=248fbaf41cdd698549fdddb341927885; expires=Fri, 28-Jun-2013 17:20:19 GMT
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
最后是我最奇怪的发现:标头"Content-Length"实际显示的是内容的长度!如果我添加回显"foo",则内容长度将增加三,依此类推.
And finally my strangest discovery : The header "Content-Length" actually shows the real content length! If I add an echo "foo", the content-length increase by three and so on.
我看着很多问题,但是这个问题确实很棘手,我找不到任何解决方案.
I looked trough lots of questions but this one is really tricky and I can't find any solution.
编辑:我忘了提一下,如果我使用用户脚本和GM_xhr函数代替xmlHttpRequest对象,则此请求有效.
EDIT : I forgot to mention that this request works if instead of the xmlHttpRequest object I use a user-script and the GM_xhr function.
推荐答案
将标头 Access-Control-Allow-Credentials
设置为true时,不能对标头 Access-Control使用通配符-允许来源
.即,必须指定特定的主机.
When setting headerAccess-Control-Allow-Credentials
to true, you cannot use a wildcard for header Access-Control-Allow-Origin
. That is, a specific host must be specified.
代替:
Access-Control-Allow-Origin: *
使用:
Access-Control-Allow-Origin: http://safedomain.com
您甚至可以将 Access-Control-Allow-Origin
标头设置为请求中收到的 Origin
标头.不确定PHP,但使用Java Servlets API:
You can even set the Access-Control-Allow-Origin
header to the Origin
header received in the request. Not sure about PHP, but using the Java Servlets API:
String origin = request.getHeader("Origin");
request.setHeader("Access-Control-Allow-Origin", origin);
这篇关于跨域AJAX withCredentials,PHP返回标头content-length,但没有内容的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!