OneDrive Cors用JavaScript下载 [英] Onedrive cors download in javascript
问题描述
我正在尝试在客户端javascript中处理onedrive文件,但是首先我需要一种使用XMLHttpRequest来下载文件的方法. Onedrive支持cors进行许多操作,但是将文件下载到javascript中存在以下问题:
I'm trying to process onedrive files in client-side javascript, but first I need a way to use XMLHttpRequest to download the file. Onedrive supports cors for a lot of operations, but for downloading the file into javascript there is the following problem:
如此处所述: onedrive rest api手册
我可以将请求发送至:
获取 https://apis.live.net/v5.0 /FILE_ID/content?access_token = ACCESS_TOKEN
,它将回复并带有位置标头,将浏览器重定向到文件.问题是,当我通过XHR发送这些请求时,浏览器总是发送带有请求的Origin标头.对于上述的第一个请求,onedrive还答复了Access-Control-Allow-Origin:*标头,因此该请求在浏览器中被允许.但是,当浏览器重定向到文件的实际位置时,该资源没有Access-Control-Allow-Origin标头,因此XHR请求被浏览器拒绝(chrome发送的Origin标头设置为重定向请求).
and it will reply with a location header redirecting the browser to the file. The problem is when I send these requests through XHR, the browser always sends the Origin header with the request. For the first request I described above, onedrive also replies with an Access-Control-Allow-Origin:* header, so the request is allowed in the browser. However, when the browser is redirected to the actual location of the file, that resource does not have the Access-Control-Allow-Origin header, so the XHR request is denied by the browser(chrome sends an Origin header set to null for the redirect request).
我也尝试获取位置,但没有自动重定向,然后发送另一个XHR请求,这会将源标头设置为我网站的域,但是结果是相同的.
I've also tried getting the location but not redirecting automatically, and then sending another XHR request, this will set the origin header to the domain of my site, but the result is the same.
正如我在开始时提到的,我需要使用javascript处理数据,因此我没有在问如何将onedrive文件下载到硬盘驱动器.我需要网页中的javascript可以访问这些数据.
As I mentioned in the beginning, I need to process the data in javascript, so I'm not asking about how to download onedrive files to hard drive. I need the data to be accessible by javascript in the webpage.
我知道我可以使用服务器端编程为我获取文件数据,然后将其发送到客户端,但是对于我的应用程序来说,这不是一个选择(至少这不是我要的)一刻).
I know that I can use server side programming to get the file data for me and then send it to the client, but for my application this is not an option(at least this is not what I'm asking for at the moment).
如果没有办法做到这一点,那么有谁知道为什么要以这种方式实现自己的api?为了允许javascript通过cors获取位置并进行重定向,但不包括重定向资源的cors标头.为什么不首先拒绝cors?这是一个错误吗?
If there is no way to do this, does anyone have an idea why they would implement their api this way? To allow javascript to get the location through cors and redirect but not include a cors header for the redirected resource. Why not just deny cors in the first place? Is this a bug?
推荐答案
据我所知,答案是,下载内容不能完全通过JavaScript在浏览器中完成.他们为什么这样做呢?您必须要问他们,但是我会猜到是一个错误,还是一些未指定的安全问题".对于它的价值,他们似乎认为下载内容 符合以下文档中的CORS:
The answer, as best as I can tell, is that downloading content cannot be done purely by JavaScript in a browser. Why did they do it this way? You'd have to ask them, but I would guess either a bug, or some unspecified "security concerns". For what it's worth, they seem to think that downloading content is CORS compliant in the documentation here: https://dev.onedrive.com/misc/working-with-cors.htm:
要在JavaScript应用中从OneDrive下载文件,则不能使用 /content API,因为它以302重定向响应. 302重定向 当需要进行CORS飞行前检查时,明确禁止这样做,例如 提供授权标头时.
To download files from OneDrive in a JavaScript app you cannot use the /content API, since this responds with a 302 redirect. A 302 redirect is explicitly prohibited when a CORS preflight is required, such as when providing the Authorization header.
相反,您的应用需要选择@ content.downloadUrl属性, 返回与/content重定向到的URL相同的URL. 然后可以使用XMLHttpRequest直接请求此URL.因为 这些URL是经过预先认证的,可以在不使用CORS的情况下进行检索 飞行前请求.
Instead, your app needs to select the @content.downloadUrl property, which returns the same URL that /content would have redirected to. This URL can then be requested directly using XMLHttpRequest. Because these URLs are pre-authenticated they can be retrieved without a CORS preflight request.
但是,据我所知,它们是错误的.仅仅因为您不需要预检请求,并不意味着该响应符合CORS.您仍然需要在响应上添加一个Access-Control-Allow-Origin标头.
However, to the best of my knowledge, they are wrong. Just because you don't need a preflight request doesn't mean that the response is CORS-compliant. You still need an Access-Control-Allow-Origin header on the response.
对于任何想知道的人来说,这个 仍然是新Graph API(根据我的理解,它实际上是OneDrive API的代理API)中的问题.仍然存在相同的基本问题-您可以从商品中获得下载URL,但是该URL指向不符合CORS的资源,因此不会带来很多好处.
For anyone wondering, this is still an issue in the new Graph API (which is essentially a proxy API to the OneDrive API, as I understand it). The same basic issue is still present - you can get a download URL from your items, but that URL points to a non-CORS-compliant resource, so it doesn't do you a whole lot of good.
我在Microsoft 此处上看到一个活跃的问题. .我的问题得到了一些回应(我让他们通过graph API公开了下载URL),但是我仍然在等待他们是否会提出从JavaScript下载内容的真正解决方案.
I have an active issue open with Microsoft here about this issue. There has been some response to my issue (I got them to expose the download URL through the graph API), but I'm still waiting to see if they'll come up with a real solution to downloading content from JavaScript.
如果在该问题上有解决方案或真实答案,我将尝试在此处进行报告,以便将来其他人可以参考.
If I get a solution or real answer on that issue, I'll try to report back here so others in the future can have a real answer to reference.
这篇关于OneDrive Cors用JavaScript下载的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
