Access-Control-Allow-Origin头不工作 - 我做错了什么? [英] Access-Control-Allow-Origin header not working - What am I doing wrong?
问题描述
我试图通过一个Access-Control-Allow-Origin标头复制该请求中的Origin标头的内容,来提供对HTTP OPTIONS方法的响应。 >这显然不行,原因我不能弄清楚。
tl; dr:
来自OPTIONS的回复:
Access-Control-Allow-Origin:http://10.0.0.105:9294
后续GET has:
:http://10.0.0.105:9294
Chrome说:
原始http://10.0.0.105:9294不允许由Access-Control-Allow-Origin
$ b
更多详情...
通过查看Chrome的开发者工具窗口,请求标头是:
user / kris HTTP / 1.1
Host:10.0.0.104:8080
连接:keep-alive
访问控制请求方法:GET
原产地:http://10.0 .0.105:9294
User-Agent:Mozilla / 5.0(X11; Linux i686)AppleWebKit / 537.1(KHTML,像Gecko)Chrome / 21.0.1180.75 Safari / 537.1
访问控制请求标头:origin,x-requested-with,content-type,accept
Accept :* / *
Referer:http://10.0.0.105:9294/
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-GB,en-US; q = 0.8,en; q = 0.6
Accept-Charset:ISO-8859-1,utf-8; q = 0.7,*; q = 0.3
响应标题为:
HTTP / 1.0 200 OK
日期:2012年8月13日星期一11:23:45 GMT
服务器:WSGIServer / 0.1 Python / 2.7.3
Content-Length:0
访问控制允许方法: GET,PUT,POST,DELETE,HEAD,OPTIONS
访问控制最大年龄:10
访问控制允许原因:http://10.0.0.105:9294
访问控制允许头:X请求,授权,X-Huzu用户,内容类型,接受
Content-Type:text / html; jQuery发送其OPTIONS请求并获得上述响应后,2奇怪的事情发生了。
OPTIONS响应(它是一个200)在开发者控制台中显示为一个错误: //10.0.0.104:8080/user/kris 200(OK)
之后GET请求拒绝。控制台中出现错误:
XMLHttpRequest无法加载http://10.0.0.104:8080/user/kris。原因http://10.0.0.105:9294不允许Access-Control-Allow-Origin。
我不明白为什么不。我做错了什么?
解决方案好的,我想我有。似乎必须正确处理广告投放前OPTIONS请求,但不足以用于跨网站资源请求。
OPTIONS请求返回满意的标头,对同一URL 的任何后续请求的所有响应也必须具有必要的访问控制允许原始标头,否则浏览器将吞下它们,并且它们甚至不会显示在调试器窗口中。
因此,它会看起来像浏览器取消了请求, OPTIONS响应,但实际上,浏览器正在查看来自实际请求的响应标头,然后拒绝它们。
I am attempting to provide a response to the HTTP OPTIONS method with an Access-Control-Allow-Origin header copying the contents of the Origin header in the request.
This is apparently not working, for reasons I can't figure out.
tl;dr:
response from OPTIONS says:
Access-Control-Allow-Origin: http://10.0.0.105:9294
subsequent GET has:
Origin:http://10.0.0.105:9294
Chrome says:
Origin http://10.0.0.105:9294 is not allowed by Access-Control-Allow-Origin
WTF not?
More detail...
By looking in Chrome's developer tools window, the request headers are:
OPTIONS /user/kris HTTP/1.1
Host: 10.0.0.104:8080
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://10.0.0.105:9294
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.75 Safari/537.1
Access-Control-Request-Headers: origin, x-requested-with, content-type, accept
Accept: */*
Referer: http://10.0.0.105:9294/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The response headers are:
HTTP/1.0 200 OK
Date: Mon, 13 Aug 2012 11:23:45 GMT
Server: WSGIServer/0.1 Python/2.7.3
Content-Length: 0
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD, OPTIONS
Access-Control-Max-Age: 10
Access-Control-Allow-Origin: http://10.0.0.105:9294
Access-Control-Allow-Headers: X-Requested-With, Authorization, X-Huzu-User, Content-Type, Accept
Content-Type: text/html; charset=UTF-8
After jQuery sends its OPTIONS request and gets the above response, 2 odd things happen.
The OPTIONS response (which is a 200) shows up in the developer console as an error:
OPTIONS http://10.0.0.104:8080/user/kris 200 (OK)
After which a GET request is rejected. Error in the console:
XMLHttpRequest cannot load http://10.0.0.104:8080/user/kris. Origin http://10.0.0.105:9294 is not allowed by Access-Control-Allow-Origin.
I can't see why not. What am I doing wrong?
解决方案 OK, I think I've got it. It seems that proper handling of the pre-flight OPTIONS request is necessary, but NOT SUFFICIENT for cross-site resource requests to work.
After the OPTIONS request comes back with satisfactory headers, all responses to any subsequent requests to the same URL also have to have the necessary "Access-Control-Allow-Origin" header, otherwise the browser will swallow them, and they won't even show up in the debugger window.
So it will look like the browser cancelled the request because of some problem in the OPTIONS response, but actually, the browser is looking at the response headers from the real request and then rejecting them.
这篇关于Access-Control-Allow-Origin头不工作 - 我做错了什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
