CORS 和 HTTP 基本身份验证 [英] CORS and HTTP basic auth
问题描述
如果包含基本身份验证,预检 HTTP 请求会是什么样子?喜欢下面的对话吗?我无法理解哪些标头需要发送到哪里,也是因为无法使用 Firebug 正确调试它
How would a preflighted HTTP request look like if you include Basic auth? Like the following conversation? Im having trouble to understand which headers need to be sent where, also because its not possible to debug it properly with Firebug
客户:
OPTIONS /api/resource HTTP/1.1
Access-Control-Request-Method: GET
Origin: http://jsconsole.com
服务器:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
客户:
GET /api/resource HTTP/1.1
Access-Control-Request-Method: GET
Access-Control-Allow-Credentials: true
Origin: http://jsconsole.com
服务器:
HTTP/1.1 401 Unauthorized
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
WWW-Authenticate: Basic realm="Authorisation Required"
客户:
GET /api/resource HTTP/1.1
Access-Control-Allow-Credentials: true
Authorization: Basic base64encodedUserAndPassword
Access-Control-Request-Method: GET
Origin: http://jsconsole.com
服务器:
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, PUT, DELETE
Access-Control-Allow-Headers: Authorization
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
推荐答案
如果您正在请求凭据,则服务器必须使用 Access-Control-Allow-Origin 响应标头中的特定来源进行响应(因此不能使用通配符 *).当然,它也需要使用 Access-Control-Allow-Credentials 响应标头进行响应.
If you're requesting credentials then the server must respond with the specific origin in the Access-Control-Allow-Origin response header (and thus can't use the wildcard *). Of course it would then also need to respond with Access-Control-Allow-Credentials response header too.
这篇关于CORS 和 HTTP 基本身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!