跨域AJAX withCredentials，PHP返回标头content-length，但没有内容 [英] Cross-domain AJAX withCredentials, PHP returns header content-length, but no content

问题描述

我正在尝试从一个域上的页面向另一个域上的PHP服务器发送跨域请求.没有凭据，一切都可以正常工作(我需要一个会话)，但是一旦添加凭据，它就无法工作.

I am trying to send a cross domain request from a page on one domain to a PHP server on an other domain. Everything works fine without credentials (I need a session) but as soon as I add credentials, it doesn't work.

这是JS代码:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://phpserver.net',true);
xhr.withCredentials = true ;
xhr.onreadystatechange = function(e) {
    if (this.readyState == 4 && this.status == 200) {
        alert(this.responseText);
    }
}
xhr.send();

请记住，它无需凭据即可工作.没有警报.所以我用Firebug检查了网络:

Please remember that it works without credentials. There is no alert. So I inspected the network with Firebug:

该请求已由服务器正确处理，已通过HTTP代码200接收到，但没有任何内容.我检查了标题:

The request is correctly handled by the server, it's received with an HTTP code 200 but there is no content. I checked the headers :

HTTP/1.1 200 OK
Date: Fri, 14 Jun 2013 17:20:19 GMT
Server: Apache/2.4.2 (Win64) PHP/5.4.3
X-Powered-By: PHP/5.4.3
Access-Control-Allow-Origin: *
access-control-allow-credentials: true
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: key=441wqr3e4cf2456c763c1ea173aa06b5ad284e5f38; expires=Fri, 28-Jun-2013 17:20:19 GMT
key2=248fbaf41cdd698549fdddb341927885; expires=Fri, 28-Jun-2013 17:20:19 GMT
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

最后是我最奇怪的发现:标头"Content-Length"实际显示的是内容的长度！如果我添加回显"foo"，则内容长度将增加三，依此类推.

And finally my strangest discovery : The header "Content-Length" actually shows the real content length! If I add an echo "foo", the content-length increase by three and so on.

我看着很多问题，但是这个问题确实很棘手，我找不到任何解决方案.

I looked trough lots of questions but this one is really tricky and I can't find any solution.

编辑:我忘了提一下，如果我使用用户脚本和GM_xhr函数代替xmlHttpRequest对象，则此请求有效.

EDIT : I forgot to mention that this request works if instead of the xmlHttpRequest object I use a user-script and the GM_xhr function.

推荐答案

将标头 Access-Control-Allow-Credentials 设置为true时，不能对标头 Access-Control使用通配符-允许来源.即，必须指定特定的主机.

When setting headerAccess-Control-Allow-Credentials to true, you cannot use a wildcard for header Access-Control-Allow-Origin. That is, a specific host must be specified.

代替:

Access-Control-Allow-Origin: *

使用:

Access-Control-Allow-Origin: http://safedomain.com

您甚至可以将 Access-Control-Allow-Origin 标头设置为请求中收到的 Origin 标头.不确定PHP，但使用Java Servlets API:

You can even set the Access-Control-Allow-Origin header to the Origin header received in the request. Not sure about PHP, but using the Java Servlets API:

String origin = request.getHeader("Origin");    
request.setHeader("Access-Control-Allow-Origin", origin);

这篇关于跨域AJAX withCredentials，PHP返回标头content-length，但没有内容的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！