为什么我的Drupal 8 CORS设置不起作用? [英] Why is my Drupal 8 CORS setup not working?

问题描述

从Drupal 8.2开始，cors设置处于核心位置.在我的services.yml(和default.services.yml)中，我具有以下设置:

Since Drupal 8.2 the cors setup is in core. In my services.yml (and default.services.yml) I have the following setup:

cors.config:
    enabled: true
    # Specify allowed headers, like 'x-allowed-header'.
    allowedHeaders: ['x-csrf-token','authorization','content-type','accept','origin','x-requested-with']
    # Specify allowed request methods, specify ['*'] to allow all possible ones.
    allowedMethods: ['*']
    # Configure requests allowed from specific origins.
    allowedOrigins: ['*']
    # Sets the Access-Control-Expose-Headers header.
    exposedHeaders: false
    # Sets the Access-Control-Max-Age header.
    maxAge: 1000
    # Sets the Access-Control-Allow-Credentials header.
    supportsCredentials: true

我的域a.com受htaccess密码保护.

My domain a.com is htaccess password protected.

在域b.com上，我尝试从域a.com加载一些API:

On domain b.com I try to load some API from domain a.com:

$.ajaxSetup({
  xhrField: {
    withCredentials : true
  },
  beforeSend: function (xhr) {
    xhr.setRequestHeader('Authorization', 'Basic Z2VuaXVzOmNvYXRpbmdz');
  }
});

request = $.ajax({
  url: apiBaseUrl + 'api/foobar',
  dataType: 'json',
  type: 'get',
  password: 'foo',
  username: 'bar'
});

在chrome中，它工作正常，在Firefox中，我得到了一个错误.请求标头:

In chrome it works fine, in firefox I get an error. The request headers:

Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization

Response是401需要授权"，它表示请求方法是OPTIONS(?).

Response is 401 "Authorization required", it says request method is OPTIONS (?).

这是怎么了?

在失眠中执行相同的请求即可.

Doing the same request in insomnia works perfectly fine.

推荐答案

Response是401需要授权"，它表示请求方法是OPTIONS(?).

Response is 401 "Authorization required", it says request method is OPTIONS (?).

您需要将服务器后端配置为不要求对OPTIONS请求进行授权.

You need to configure your server backend to not require authorization for OPTIONS requests.

该401响应表明服务器正在请求OPTIONS请求的授权，但是授权失败，因为该请求不包含必需的凭据.

That 401 response indicates the server is requiring authorization for an OPTIONS request, but authorization is failing because the request doesn’t contain the required credentials.

原因是OPTIONS请求是您的浏览器作为CORS的一部分自动发送的.

The reason is, that OPTIONS request is sent automatically by your browser as part of CORS.

https://developer.mozilla.org/en -US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests 总体上解释了为什么浏览器发出CORS预检OPTIONS请求，但是在该问题的特定情况下，原因是因为该请求包含Authorization请求标头.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests explains in general why browsers make CORS preflight OPTIONS requests, but in the specific case in the question, the reason is because the request contains the Authorization request header.

所以发生了什么事

1. 您的代码告诉您的浏览器它想发送带有Authorization标头的请求.
2. 您的浏览器说，好吧，带有Authorization头的请求要求我执行CORS预检OPTIONS，以确保服务器允许带有Authorization头的请求.
3. 您的浏览器将OPTIONS请求发送到服务器而没有Authorization标头，因为OPTIONS检查的整个目的是查看是否可以包含该标头./li>
4. 您的服务器看到了OPTIONS请求，但没有以表明它允许请求中使用Authorization标头的方式对其进行响应，而是由于缺少标头而以401拒绝了它.
5. 您的浏览器期望CORS飞行前响应为200或204，但会得到401响应.因此，您的浏览器就在那里停止了，并且再也不会尝试通过您的代码发出GET请求.

1. Your code’s telling your browser it wants to send a request with the Authorization header.
2. Your browser says, OK, requests with the Authorization header require me to do a CORS preflight OPTIONS to make sure the server allows requests with the Authorization header.
3. Your browser sends the OPTIONS request to the server without the Authorization header, because the whole purpose of the OPTIONS check is to see if it’s OK to include that header.
4. Your server sees the OPTIONS request but instead of responding to it in a way that indicates it allows the Authorization header in requests, it rejects it with a 401 since it lacks the header.
5. Your browser expects a 200 or 204 response for the CORS preflight but instead gets that 401 response. So your browser stops right there and never tries the GET request from your code.

因此，您需要确定当前服务器端代码的哪一部分导致服务器要求对OPTIONS请求进行授权，并且您需要对其进行更改，以使其在无需授权的情况下处理OPTIONS请求

So you need to figure out what part of your current server-side code is causing your server to require authorization for OPTIONS requests, and you need to change that so that it instead handles OPTIONS requests without authorization being required.

修复此问题后，问题中显示的现有cors.config应该会导致服务器以正确的方式响应OPTIONS请求-使用包含Authorization的Access-Control-Allow-Headers响应标头，这样您的浏览器然后可以说，确定，此服务器允许包含Authorization标头的跨域请求，所以我现在继续发送实际的GET请求.

Once you fix that, the existing cors.config shown in the question should cause the server to respond to the OPTIONS request in the right way—with an Access-Control-Allow-Headers response header that includes Authorization, so that your browser can then say, OK, this server allows cross-origin requests that contain the Authorization header, so I’ll now go ahead and send the actual GET request.

这篇关于为什么我的Drupal 8 CORS设置不起作用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！