为什么我的Drupal 8 CORS设置不起作用? [英] Why is my Drupal 8 CORS setup not working?
问题描述
从Drupal 8.2开始,cors设置处于核心位置.在我的services.yml
(和default.services.yml
)中,我具有以下设置:
Since Drupal 8.2 the cors setup is in core. In my services.yml
(and default.services.yml
) I have the following setup:
cors.config:
enabled: true
# Specify allowed headers, like 'x-allowed-header'.
allowedHeaders: ['x-csrf-token','authorization','content-type','accept','origin','x-requested-with']
# Specify allowed request methods, specify ['*'] to allow all possible ones.
allowedMethods: ['*']
# Configure requests allowed from specific origins.
allowedOrigins: ['*']
# Sets the Access-Control-Expose-Headers header.
exposedHeaders: false
# Sets the Access-Control-Max-Age header.
maxAge: 1000
# Sets the Access-Control-Allow-Credentials header.
supportsCredentials: true
我的域a.com
受htaccess密码保护.
My domain a.com
is htaccess password protected.
在域b.com
上,我尝试从域a.com
加载一些API:
On domain b.com
I try to load some API from domain a.com
:
$.ajaxSetup({
xhrField: {
withCredentials : true
},
beforeSend: function (xhr) {
xhr.setRequestHeader('Authorization', 'Basic Z2VuaXVzOmNvYXRpbmdz');
}
});
request = $.ajax({
url: apiBaseUrl + 'api/foobar',
dataType: 'json',
type: 'get',
password: 'foo',
username: 'bar'
});
在chrome中,它工作正常,在Firefox中,我得到了一个错误.请求标头:
In chrome it works fine, in firefox I get an error. The request headers:
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
Response是401需要授权",它表示请求方法是OPTIONS(?).
Response is 401 "Authorization required", it says request method is OPTIONS (?).
这是怎么了?
在失眠中执行相同的请求即可.
Doing the same request in insomnia works perfectly fine.
推荐答案
Response是401需要授权",它表示请求方法是OPTIONS(?).
Response is 401 "Authorization required", it says request method is OPTIONS (?).
您需要将服务器后端配置为不要求对OPTIONS
请求进行授权.
You need to configure your server backend to not require authorization for OPTIONS
requests.
该401响应表明服务器正在请求OPTIONS
请求的授权,但是授权失败,因为该请求不包含必需的凭据.
That 401 response indicates the server is requiring authorization for an OPTIONS
request, but authorization is failing because the request doesn’t contain the required credentials.
原因是OPTIONS
请求是您的浏览器作为CORS的一部分自动发送的.
The reason is, that OPTIONS
request is sent automatically by your browser as part of CORS.
https://developer.mozilla.org/en -US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests 总体上解释了为什么浏览器发出CORS预检OPTIONS
请求,但是在该问题的特定情况下,原因是因为该请求包含Authorization
请求标头.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Preflighted_requests explains in general why browsers make CORS preflight OPTIONS
requests, but in the specific case in the question, the reason is because the request contains the Authorization
request header.
所以发生了什么事
- 您的代码告诉您的浏览器它想发送带有
Authorization
标头的请求. - 您的浏览器说,好吧,带有
Authorization
头的请求要求我执行CORS预检OPTIONS
,以确保服务器允许带有Authorization
头的请求. - 您的浏览器将
OPTIONS
请求发送到服务器而没有Authorization
标头,因为OPTIONS
检查的整个目的是查看是否可以包含该标头./li> - 您的服务器看到了
OPTIONS
请求,但没有以表明它允许请求中使用Authorization
标头的方式对其进行响应,而是由于缺少标头而以401拒绝了它. - 您的浏览器期望CORS飞行前响应为200或204,但会得到401响应.因此,您的浏览器就在那里停止了,并且再也不会尝试通过您的代码发出
GET
请求.
- Your code’s telling your browser it wants to send a request with the
Authorization
header. - Your browser says, OK, requests with the
Authorization
header require me to do a CORS preflightOPTIONS
to make sure the server allows requests with theAuthorization
header. - Your browser sends the
OPTIONS
request to the server without theAuthorization
header, because the whole purpose of theOPTIONS
check is to see if it’s OK to include that header. - Your server sees the
OPTIONS
request but instead of responding to it in a way that indicates it allows theAuthorization
header in requests, it rejects it with a 401 since it lacks the header. - Your browser expects a 200 or 204 response for the CORS preflight but instead gets that 401 response. So your browser stops right there and never tries the
GET
request from your code.
因此,您需要确定当前服务器端代码的哪一部分导致服务器要求对OPTIONS
请求进行授权,并且您需要对其进行更改,以使其在无需授权的情况下处理OPTIONS
请求
So you need to figure out what part of your current server-side code is causing your server to require authorization for OPTIONS
requests, and you need to change that so that it instead handles OPTIONS
requests without authorization being required.
修复此问题后,问题中显示的现有cors.config
应该会导致服务器以正确的方式响应OPTIONS
请求-使用包含Authorization
的Access-Control-Allow-Headers
响应标头,这样您的浏览器然后可以说,确定,此服务器允许包含Authorization
标头的跨域请求,所以我现在继续发送实际的GET
请求.
Once you fix that, the existing cors.config
shown in the question should cause the server to respond to the OPTIONS
request in the right way—with an Access-Control-Allow-Headers
response header that includes Authorization
, so that your browser can then say, OK, this server allows cross-origin requests that contain the Authorization
header, so I’ll now go ahead and send the actual GET
request.
这篇关于为什么我的Drupal 8 CORS设置不起作用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!