如何使用授权标头发出 GET CORS 请求 [英] How to make GET CORS request with authorization header
问题描述
我正在阅读有关 CORS 请求的信息,并且我设法进行了常规的 GET 或 POST 请求,并且工作正常.但是,当我向 GET 或 POST 请求添加授权标头时,预检选项请求被发送到服务器,我得到 500 INTERNAL SERVER ERR,实际请求没有发送.我的问题是预检实际上是如何工作的,它需要什么响应才能发送主要请求?是否可以在没有预检的情况下发送它,因为我确定它会起作用?server-rside 是用 Django 1.6 编写的,并且将 ACCESS-ALLOW-ORIGIN 设置为 *,它可以处理常规的 post 和 get 请求.
I was reading about CORS requests, and I have managed to make regular GET or POST request and it works fine. But when I add authorization header to a either GET or POST request, then the preflight OPTIONS request is sent to the server and I get 500 INTERNAL SERVER ERR, and the actual request isn't sent. My question is how does the preflight actually work, and what response does it require so that it will send the main request? And is it possible to send it without the preflight because I'm sure that then it would work? The serve-rside is written in Django 1.6 and has ACCESS-ALLOW-ORIGIN set to *, and it works with regular post and get requests.
这是我的JS代码:
$.ajax({
type: "GET",
url: "http://url/login/",
async:false,
contentType: "application/json",
headers: {
"Authorization": "Basic " + btoa(loginName + ':' + password),
},
success: function (data) {
alert("OK!");
},
failure: function(errMsg) {
alert(errMsg);
}
});
这些是执行请求时来自 Chrome DevTools 的标头:请求标头:
These are the headers from Chrome DevTools when the request is executed: Request headers:
OPTIONS /login/ HTTP/1.1
Host: url
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Access-Control-Request-Headers: accept, authorization, content-type
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,hr;q=0.6,sr;q=0.4
响应头:
HTTP/1.1 500 INTERNAL SERVER ERROR
Date: Thu, 31 Jul 2014 16:15:19 GMT
Server: Apache/2.2.15 (CentOS)
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: *
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
推荐答案
要传递授权标头,您必须将 Access-Control-Allow-Credentials 设置为 true.
To pass authorization headers you must set Access-Control-Allow-Credentials to true.
问题在于,根据规范 (MDN 解释更简单),如果 Access-Control-Allow-Credentials 设置为 true,Access-Control-Allow-Origin 不能包含 *,因此允许任何主机发出附加凭据的请求.
The problem is that, according to specification (MDN explains it simpler), if Access-Control-Allow-Credentials is set to true, Access-Control-Allow-Origin cannot contain *, therefore allowing any hosts making requests with credentials attached.
有两种方法可以解决这个问题:
There are two options to solve this problem:
- 将
Access-Control-Allow-Origin设置为发出请求的实际主机 - 如果有多个主机:规范"方式是在应用程序本身中包含主机白名单,然后检查
Origin标头是否在列表中并添加Origin作为Access-Control-Allow-Origin标头值.
- Set
Access-Control-Allow-Originto actual host making requests - If there are more than one host: "canonical" way would be to have a whitelist of hosts in application itself, than check
Originheader if it's on the list and addingOriginasAccess-Control-Allow-Originheader value.
使用 Django,检查 Origin 并在中间件中添加标头,但这本身就是一个不错的问题(并且可能已经被问到)
With Django, check for Origin and adding a header can be made in Middleware, but that would make a decent question on it's own (and probably have been already asked)
这篇关于如何使用授权标头发出 GET CORS 请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
