Access-Control-Allow-Methods不允许DELETE [英] DELETE is not allowed by Access-Control-Allow-Methods
问题描述
我想使用jQuery从Chrome发送跨源的 DELETE
请求。
但是,由于在开发者控制台中记录了以下错误消息,因此失败:
XMLHttpRequest无法加载
http:// actual / url / here
。方法DELETE不被Access-Control-Allow-Methods允许。
javascript代码在localhost上运行,如下所示: / p>
$。ajax({
type:DELETE,
url:http:// actual / url / here,
xhrFields:{
withCredentials:true
}
});
这会导致发送如下的预飞行请求:
选项http:// actual / url / here HTTP / 1.1
主机:actual
连接:keep-alive
访问 - 控制请求方法:DELETE
原产地:null
用户代理:Mozilla / 5.0(Windows NT 6.3; WOW64)AppleWebKit / 537.36(KHTML,像Gecko)Chrome / 40.0.2214.115 Safari / 537.36
Access-Control-Request-Headers:accept
Accept:* / *
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en; q = 0.8
并且响应如下所示:
HTTP / 1.1 200 OK
缓存控制:必须重新验证,私人
内容长度:0
服务器:Microsoft-HTTPAPI / 2.0
访问控制允许方法:DELETE GET HEAD POST PUT OPTIONS TRACE
Access-Control-Allow-Headers:accept
访问控制 - 最大年龄:900
访问-Control-Allow-Origin:null
Access-Control-Allow-Credentials:true
日期:Wed,11 Mar 2015 15:03:46 GMT
据我所知,这很好。客户端通过发送 Access-Control-Request-Method:DELETE
来检查是否允许 DELETE
,服务器说是通过响应允许的方法:Access-Control-Allow-Methods:DELETE GET HEAD POST PUT OPTIONS TRACE
。
,不会发送 DELETE
请求,而是报告错误消息(上面)。 为什么? code>访问控制 - 允许方法的值
需要是逗号分隔的列表,而不是以空格分隔的列表。
从 MDN :
Access-Control-Allow-Methods:< method> [,< method>] *
pre>
I'm trying to send a cross-origin DELETE
request from Chrome using jQuery.
However, that fail with the following error message being logged in the developer console:
XMLHttpRequest cannot load
http://actual/url/here
. Method DELETE is not allowed by Access-Control-Allow-Methods.
The javascript code is running on localhost and looks like this:
$.ajax({
type: "DELETE",
url: "http://actual/url/here",
xhrFields: {
withCredentials: true
}
});
This results in a pre-flight request like this being sent:
OPTIONS http://actual/url/here HTTP/1.1
Host: actual
Connection: keep-alive
Access-Control-Request-Method: DELETE
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Access-Control-Request-Headers: accept
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
And the response looks like this:
HTTP/1.1 200 OK
Cache-Control: must-revalidate, private
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Access-Control-Allow-Methods: DELETE GET HEAD POST PUT OPTIONS TRACE
Access-Control-Allow-Headers: accept
Access-Control-Max-Age: 900
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Date: Wed, 11 Mar 2015 15:03:46 GMT
As far as I can tell this is just fine. The client checks whether DELETE
is allowed by sending Access-Control-Request-Method: DELETE
and the server says that it is allowed by responding with Access-Control-Allow-Methods: DELETE GET HEAD POST PUT OPTIONS TRACE
.
However, no DELETE
request is ever sent and the error message (above) is reported instead. Why?
The value of Access-Control-Allow-Methods
needs to be a comma separated list, not a space separated one.
From MDN:
Access-Control-Allow-Methods: <method>[, <method>]*
这篇关于Access-Control-Allow-Methods不允许DELETE的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!