龙卷风服务器：启用CORS请求 [英] Tornado server: enable CORS requests

问题描述

我有一个简单的龙卷风服务器，其类为：

I have a simple tornado server which has the class:

class BaseHandler(tornado.web.RequestHandler):
    def set_default_headers(self):
        print "setting headers!!!"
        self.set_header("Access-Control-Allow-Origin", "*")

发出常规（无CORS）请求时，服务器将按预期应答，包括Access-Control-Allow-Origin标头。但是，当我发出来自不同域的发布请求（使用 jQuery.post ）时，响应为404并显示错误： XMLHttpRequest无法加载 http：// dev-machine：8090 / handshake 。请求中没有 Access-Control-Allow-Origin标头。因此，不允许访问源' http：// localhost：8090 。响应的HTTP状态代码为404。

When a regular (no CORS) request is made, the server answers as expected, including the Access-Control-Allow-Origin header. But when I make a post request coming from different domain (using jQuery.post), the response is 404 and an error is displayed: "XMLHttpRequest cannot load http://dev-machine:8090/handshake. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8090' is therefore not allowed access. The response had HTTP status code 404."

你能告诉我是否错过了吗？ （另一个标题/其他配置/其他内容）

Can you tell if I miss something? (another header/other configuration/anything else)

推荐答案

您的代码缺少预检， OPTIONS 请求。

Your code is missing preflight, the OPTIONS request.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS ：

跨域资源共享标准通过添加新的HTTP
标头来工作，这些标头允许服务器描述一组原始源，其中
被允许使用网络浏览器读取该信息。另外，
用于可能对用户数据产生副作用的HTTP请求方法（特别是
，用于除GET以外的HTTP方法，或用于
某些MIME类型的POST使用），规范要求浏览器
预检请求，并使用HTTP OPTIONS请求方法从服务器
中请求受支持的方法，然后在服务器从
中批准后，使用实际的HTTP请求
方法。服务器还可以通知客户端是否应与
请求一起发送凭据
（包括Cookie和HTTP身份验证数据）。

The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser. Additionally, for HTTP request methods that can cause side-effects on user data (in particular, for HTTP methods other than GET, or for POST usage with certain MIME types), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.

要实现预检处理程序，只需添加具有相同标题且没有主体的选项处理程序即可。

To implement preflight handler simply add options handler with the same headers and no body.

class BaseHandler(tornado.web.RequestHandler):

    def set_default_headers(self):
        print "setting headers!!!"
        self.set_header("Access-Control-Allow-Origin", "*")
        self.set_header("Access-Control-Allow-Headers", "x-requested-with")
        self.set_header('Access-Control-Allow-Methods', 'POST, GET, OPTIONS')

    def post(self):
        self.write('some post')

    def get(self):
        self.write('some get')

    def options(self):
        # no body
        self.set_status(204)
        self.finish()

编辑

我已将 x-requested-with 标头添加到允许的列表中。这是简单的jquery示例：

I've added x-requested-with header to allowed list. And here is simple jquery sample:

 $.ajax({
   url: "http://some_tornado/api",
   type: "POST",
   crossDomain: true,
   data: 'some_data',
   success: function (response) {
     alert(response);
   },
   error: function (xhr, status) {
     alert("error");
   }
 });

还有一些关于cors的非常好的文章-> http://dev.housetrip.com/2014/04/17/unleash-your-ajax-requests -with-cors /

And some really good article about cors - http://dev.housetrip.com/2014/04/17/unleash-your-ajax-requests-with-cors/

这篇关于龙卷风服务器：启用CORS请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！