jQuery的，CORS，JSON（不填充）和身份验证问题 [英] jQuery, CORS, JSON (without padding) and authentication issues

问题描述

我有两个域。我想通过一个页面从一个域访问JSON对象上的另一个。我读过的一切，我能找到的关于这个问题，而且还能不知道这一点。

I have two domains. I'm trying to access a JSON object from one domain through a page on another. I've read everything I could find regarding this issue, and still can't figure this out.

服务于JSON的域有以下设置：

The domain serving the JSON has the following settings:

Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, OPTIONS"
Header set Access-Control-Allow-Headers "origin, authorization, accept"

这是我的其他领域，我打电话以下几点：

From my other domain, I'm calling the following:

$.ajax({
         type:'get',
         beforeSend: function(xhr) {
             var auth = // authentication; 
             xhr.setRequestHeader("Authorization", "Basic " + auth);
         }
         url:myUrl,
         dataType:'json',
         error: function(xhr, textStatus, errorThrown) { console.log(textStatus, errorThrown); }
      })

我知道，身份验证正确初始化（登录并检查）。但是，这是行不通的。在Firefox的控制台，我得到     请求URL：...

I know that 'auth' is initialized properly (logged and checked). However, this does not work. In Firefox's Console, I get Request URL: ...

Request Method:
OPTIONS

Status Code:
HTTP/1.1 401 Authorization Required

如果我摆脱 beforeSend的：... 部分，我看到下面的

If I get rid of the beforeSend:... part, I see the following

Request Method:
GET

Status Code:
HTTP/1.1 401 Authorization Required

然而，域名服务JSON也能起到JSONP。我不想用这个，主要是因为该应用程序将在一个专用的浏览器中运行不断，我担心的这个问题。更重要的是，我真的想知道什么是真正错误的我在做什么。我知道，出于实用的目的有各种不同的方法来克服JSONP内存泄漏（如不使用jQuery）。

However, the domain serving JSON also can serve JSONP. I don't want to use this, mainly because the application will be running constantly on a dedicated browser, and I'm worried about this issue. More importantly, I would really like to know what is actually wrong with what I am doing. I know that for practical purposes there are various ways to overcome the JSONP memory leak (such as not using jQuery).

在任何情况下，我没有使用JSONP，我的code是这样的：

At any rate, when I did use JSONP, my code looked like this:

$.ajax({
    url:newUrl,
    dataType:'jsonp',
    jsonp:'jsonp'
}).done(function(d){console.log(d)})

这会得到以下

Request Method:
GET

Status Code:
HTTP/1.1 200 OK

它提示我，输入用户名和密码的提示框后。

after it prompts me with an alert box for a username and password.

有jQuery中处理JSONP请求，而不是JSON请求的方式有根本的区别？如果是的话，我该如何解决这个问题？

Is there a fundamental difference in the way jQuery handles JSONP requests as opposed to JSON requests? And if so, how can I fix this?

感谢。

编辑：这是我没找到

基本上，因为我需要验证，GET请求发送Authorization头。然而，这不是一个简单报头，所以浏览器发送一个$ P $对 - 飞行请求（OPTIONS）。这preflight请求没有任何身份验证，虽然，所以服务器拒绝它。该办法是设置服务器，让OPTIONS请求不需要身份验证，并把它报告的200 HTTP状态。

Basically, because I need authentication, the GET request is sending an Authorization header. However, this is not a "simple" header, and so the browser is sending a pre-flight request (the OPTIONS). This preflight request doesn't have any authentication, though, and so the server was rejecting it. The "solution" was to set the server to let OPTIONS request not require authentication, and report an HTTP status of 200 to it.

参考：的http://www.kinvey.com/blog/item/61-kinvey-adds-cross-origin-resource-sharing-cors

邮件归档[.COM] /c-user@axis.apache.org/msg00790.html（不允许发布更多的链接）

mail-archive[.com]/c-user@axis.apache.org/msg00790.html (not allowed to post more links)

不幸的是，办法只是工作的Firefox和Chrome浏览器没有。 Chrome浏览器只显示红色的要求，但并没有给我，为什么它没有任何更多的信息。

Unfortunately, the "solution" is only working on Firefox and not Chrome. Chrome simply shows the request in red, but doesn't give me any more info on why it failed.

编辑2：固定在Chrome：我试图得到了这是不信任的安全证书数据的服务器。在Chrome的preflight请求，因为这样的失败。解 superuser[.com]/questions/27268/how-do-i-disable-the-warning-chrome-gives-if-a-security-certificate-is-not-trust （不允许发布更多的链接）

Edit 2: Fixed on Chrome: The server I was trying to get data from had a security certificate which was not trusted. The preflight request on Chrome failed because of this. Solution superuser[.com]/questions/27268/how-do-i-disable-the-warning-chrome-gives-if-a-security-certificate-is-not-trust (not allowed to post more links)

推荐答案

韦尔普，现在我有足够的代表处一段时间后，我不妨回答这个问题，并接受它。

Welp, now that I have enough rep a while later, I might as well answer this question and accept it.

当您尝试将 GET JSON请求发送到页眉服务器，浏览器首先发送一个选项请确保您可以访问它。不幸的是，这个选项要求不能与它进行任何身份验证。这意味着，如果你要发送 GET 与身份验证，服务器必须允许OPTION的无需身份验证的。一旦我这样做，事情开始工作。

When you attempt to send a GET json request to a server with headers, the browser first sends an OPTION request to make sure that you can access it. Unfortunately, this OPTION request cannot carry with it any authentication. This means that if you want to send a GET with auth, the server must allow an OPTION without auth. Once I did this, things started working.

这篇关于jQuery的，CORS，JSON（不填充）和身份验证问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！