ASANA API 和 Access-Control-* 标头 [英] ASANA API and Access-Control-* headers
问题描述
我正在编写一些代码来从浏览器调用 Asana API.从浏览器发出的 XDR 请求都以调用 OPTIONS 以获取 Access-Control-* 标头开始,但 Asana 服务器似乎没有响应它们:
I am writing some code to call the Asana API from the browser. XDR requests emitted from the browsers all begin with a call to OPTIONS to get the Access-Control-* headers, but Asana server does not seem to response to them:
Request URL:https://app.asana.com/api/1.0/users?opt_pretty=true&opt_fields=name,email
Request Method:OPTIONS
Status Code:404 Object Not Found
Request Headers:
Accept:*/*
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Access-Control-Request-Headers:origin, authorization, accept
Access-Control-Request-Method:GET
Connection:keep-alive
Host:app.asana.com
Origin:null
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1129.0 Safari/536.11
Query String Parameters:
opt_pretty:true
opt_fields:name,email
Response Headers:
Content-Length:82
Content-Type:application/json
Date:Sat, 12 May 2012 22:23:19 GMT
Server:nginx/0.7.67
...
响应头应该包含如下内容:
Response headers should contain something like:
Access-Control-Allow-Headers: Accept, Authorization, Content-Type
Access-Control-Allow-Methods: GET,PUT,POST,DELETE
Access-Control-Allow-Origin: *
或者我在请求 API 时遗漏了什么?
Or is there anything that I am missing when requesting the API?
推荐答案
(我在 Asana 工作)
(I work at Asana)
Asana API 现在不返回这些标头,因为它不支持 OAuth 并且无法安全地验证来自客户端的请求.只有为经过身份验证的客户端返回这些标头才是安全的,否则该服务将受到跨站点脚本攻击.OAuth 在未来支持的功能列表中.
The Asana API does not return these headers right now because it does not support OAuth and cannot securely authenticate requests from clients. It is only secure to return these headers for an authenticated client, otherwise the service would be open to cross-site scripting attacks. OAuth is on the list of features to be supported in the future.
这篇关于ASANA API 和 Access-Control-* 标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
