JavaScript - XMLHttpRequest,Access-Control-Allow-Origin错误 [英] JavaScript - XMLHttpRequest, Access-Control-Allow-Origin errors
问题描述
我正在尝试将XMLHttpRequest发送到粘贴网站。我正在发送一个包含api所需的所有字段的对象,但我一直在遇到这个问题。我已经阅读了这个问题,我想:
I'm attempting to send a XMLHttpRequest to a paste site. I'm sending an object containing all the fields that the api requires, but I keep getting this issue. I have read over the issue, and I thought:
httpReq.setRequestHeader('Access-Control-Allow-Headers', '*');
会修复它,但事实并非如此。有没有人有关于此错误的信息和/或我如何解决它?
Would fix it,but it didn't. Does anyone have any information on this error and/or how I can fix it?
这是我的代码:
(function () {
'use strict';
var httpReq = new XMLHttpRequest();
var url = 'http://paste.ee/api';
var fields = 'key=public&description=test&paste=this is a test paste&format=JSON';
var fields2 = {key: 'public', description: 'test', paste: 'this is a test paste', format: 'JSON'};
httpReq.open('POST', url, true);
console.log('good');
httpReq.setRequestHeader('Access-Control-Allow-Headers', '*');
httpReq.setRequestHeader('Content-type', 'application/ecmascript');
httpReq.setRequestHeader('Access-Control-Allow-Origin', '*');
console.log('ok');
httpReq.onreadystatechange = function () {
console.log('test');
if (httpReq.readyState === 4 && httpReq.status === 'success') {
console.log('test');
alert(httpReq.responseText);
}
};
httpReq.send(fields2);
}());
以下是确切的控制台输出:
And here is the exact console output:
good
ok
Failed to load resource: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:40217' is therefore not allowed access. http://paste.ee/api
XMLHttpRequest cannot load http://paste.ee/api. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://127.0.0.1:40217' is therefore not allowed access. index.html:1
test
这是我在本地测试时的控制台输出一个普通的Chromium浏览器:
Here is the console output when I test it locally on a regular Chromium browser:
good
ok
XMLHttpRequest cannot load http://paste.ee/api. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. index.html:1
test
推荐答案
我认为你已经错过了访问控制点。
I think you've missed the point of access control.
快速回顾一下CORS存在的原因:
由于网站的JS代码可以执行XHR,该网站可能会向其他网站发送请求,伪装成您并利用这些网站中的信任(例如,如果您已登录,恶意网站可能会尝试提取信息)或执行你从未想过的行动) - 这称为CSRF攻击。为了防止这种情况,网络浏览器对您可以发送的XHR有非常严格的限制 - 您通常仅限于您的域名,依此类推。
A quick recap on why CORS exists: Since JS code from a website can execute XHR, that site could potentially send requests to other sites, masquerading as you and exploiting the trust those sites have in you(e.g. if you have logged in, a malicious site could attempt to extract information or execute actions you never wanted) - this is called a CSRF attack. To prevent that, web browsers have very stringent limitations on what XHR you can send - you are generally limited to just your domain, and so on.
现在,有时它很有用对于允许其他站点与其联系的站点 - 提供API或服务的站点(如您尝试访问的站点)将成为主要候选者。开发CORS是为了允许站点A(例如 paste.ee )说我信任站点B,所以你可以将XHR从它发送给我。这是由站点A在其响应中发送Access-Control-Allow-Origin标题指定的。
Now, sometimes it's useful for a site to allow other sites to contact it - sites that provide APIs or services, like the one you're trying to access, would be prime candidates. CORS was developed to allow site A(e.g. paste.ee) to say "I trust site B, so you can send XHR from it to me". This is specified by site A sending "Access-Control-Allow-Origin" headers in its responses.
在您的特定情况下,似乎 paste.ee 不打算使用CORS。您最好的办法是联系网站所有者,如果您想将paste.ee与浏览器脚本一起使用,请找出原因。或者,您可以尝试使用扩展名(那些应具有更高的XHR权限)。
In your specific case, it seems that paste.ee doesn't bother to use CORS. Your best bet is to contact the site owner and find out why, if you want to use paste.ee with a browser script. Alternatively, you could try using an extension(those should have higher XHR privileges).
这篇关于JavaScript - XMLHttpRequest,Access-Control-Allow-Origin错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
