拒绝将不安全的标头“来源"设置为使用谷歌浏览器的xmlHttpRequest时 [英] Refused to set unsafe header "Origin" when using xmlHttpRequest of Google Chrome
问题描述
收到此错误消息:
Refused to set unsafe header "Origin"
使用此代码:
function getResponse() {
document.getElementById("_receivedMsgLabel").innerHTML += "getResponse() called.<br/>";
if (receiveReq.readyState == 4 || receiveReq.readyState == 0) {
receiveReq.open("GET", "http://L45723:1802", true, "server", "server123"); //must use L45723:1802 at work.
receiveReq.onreadystatechange = handleReceiveMessage;
receiveReq.setRequestHeader("Origin", "http://localhost/");
receiveReq.setRequestHeader("Access-Control-Request-Origin", "http://localhost");
receiveReq.timeout = 0;
var currentDate = new Date();
var sendMessage = JSON.stringify({
SendTimestamp: currentDate,
Message: "Message 1",
Browser: navigator.appName
});
receiveReq.send(sendMessage);
}
}
我做错了什么?使该CORS请求正常工作的标头中缺少什么?
What am I doing wrong? What am I missing in the header to make this CORS request work?
我尝试删除receiveReq.setRequestHeader("Origin", ...)
通话,但是Google Chrome浏览器在我的receiveReq.open()
通话中引发了访问错误...
I tried removing the receiveReq.setRequestHeader("Origin", ...)
call but then Google Chrome throws an access error on my receiveReq.open()
call...
为什么?
推荐答案
这只是一个猜测,因为我将jquery用于ajax请求,包括CORS.
This is just a guess, as I use jquery for ajax requests, including CORS.
我认为浏览器应该设置标题,而不是您.如果您能够设置标题,那将违反安全功能的目的.
I think the browser is supposed to set the header, not you. If you were able to set the header, that would defeat the purpose of the security feature.
尝试不设置这些标头的请求,然后查看浏览器是否为您设置了标头.
Try the request without setting those headers and see if the browser sets them for you.
这篇关于拒绝将不安全的标头“来源"设置为使用谷歌浏览器的xmlHttpRequest时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!