Access-Control-Allow-Methods不允许DELETE [英] DELETE is not allowed by Access-Control-Allow-Methods

问题描述

我想使用jQuery从Chrome发送跨源的 DELETE 请求。

但是，由于在开发者控制台中记录了以下错误消息，因此失败：

XMLHttpRequest无法加载 http：// actual / url / here 。方法DELETE不被Access-Control-Allow-Methods允许。

javascript代码在localhost上运行，如下所示： / p>

  $。ajax（{
 type：DELETE，
 url：http：// actual / url / here，
 xhrFields：{
 withCredentials：true 
} 
}）; 
  

这会导致发送如下的预飞行请求：

 选项http：// actual / url / here HTTP / 1.1 
主机：actual 
连接：keep-alive 
访问 - 控制请求方法：DELETE 
原产地：null 
用户代理：Mozilla / 5.0（Windows NT 6.3; WOW64）AppleWebKit / 537.36（KHTML，像Gecko）Chrome / 40.0.2214.115 Safari / 537.36 
 Access-Control-Request-Headers：accept 
 Accept：* / * 
 Accept-Encoding：gzip，deflate，sdch 
 Accept-Language：en-US，en; q = 0.8 
  

并且响应如下所示：

  HTTP / 1.1 200 OK 
缓存控制：必须重新验证，私人
内容长度：0 
服务器：Microsoft-HTTPAPI / 2.0 
访问控制允许方法：DELETE GET HEAD POST PUT OPTIONS TRACE 
 Access-Control-Allow-Headers：accept 
访问控制 - 最大年龄：900 
访问-Control-Allow-Origin：null 
 Access-Control-Allow-Credentials：true 
日期：Wed，11 Mar 2015 15:03:46 GMT 
  

据我所知，这很好。客户端通过发送 Access-Control-Request-Method：DELETE 来检查是否允许 DELETE ，服务器说是通过响应允许的方法：Access-Control-Allow-Methods：DELETE GET HEAD POST PUT OPTIONS TRACE 。

，不会发送 DELETE 请求，而是报告错误消息（上面）。 为什么？ code>访问控制 - 允许方法的值

解决方案

需要是逗号分隔的列表，而不是以空格分隔的列表。

从 MDN ：

  Access-Control-Allow-Methods：< method> [，< method>] * 
  pre> 
 

I'm trying to send a cross-origin DELETE request from Chrome using jQuery.

However, that fail with the following error message being logged in the developer console:

XMLHttpRequest cannot load http://actual/url/here. Method DELETE is not allowed by Access-Control-Allow-Methods.

The javascript code is running on localhost and looks like this:

$.ajax({
    type: "DELETE",
    url: "http://actual/url/here",
    xhrFields: {
        withCredentials: true
    }
});

This results in a pre-flight request like this being sent:

OPTIONS http://actual/url/here HTTP/1.1
Host: actual
Connection: keep-alive
Access-Control-Request-Method: DELETE
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Access-Control-Request-Headers: accept
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

And the response looks like this:

HTTP/1.1 200 OK
Cache-Control: must-revalidate, private
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
Access-Control-Allow-Methods: DELETE GET HEAD POST PUT OPTIONS TRACE
Access-Control-Allow-Headers: accept
Access-Control-Max-Age: 900
Access-Control-Allow-Origin: null
Access-Control-Allow-Credentials: true
Date: Wed, 11 Mar 2015 15:03:46 GMT

As far as I can tell this is just fine. The client checks whether DELETE is allowed by sending Access-Control-Request-Method: DELETE and the server says that it is allowed by responding with Access-Control-Allow-Methods: DELETE GET HEAD POST PUT OPTIONS TRACE.

However, no DELETE request is ever sent and the error message (above) is reported instead. Why?

解决方案

The value of Access-Control-Allow-Methods needs to be a comma separated list, not a space separated one.

From MDN:

Access-Control-Allow-Methods: <method>[, <method>]*

这篇关于Access-Control-Allow-Methods不允许DELETE的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！