Access-Control-Allow-Origin 标头不起作用 - 我做错了什么? [英] Access-Control-Allow-Origin header not working - What am I doing wrong?

问题描述

我正在尝试使用 Access-Control-Allow-Origin 标头提供对 HTTP OPTIONS 方法的响应，该标头复制请求中 Origin 标头的内容.

I am attempting to provide a response to the HTTP OPTIONS method with an Access-Control-Allow-Origin header copying the contents of the Origin header in the request.

这显然行不通，原因我不知道.

This is apparently not working, for reasons I can't figure out.

tl;博士:OPTIONS 的回复说:

tl;dr: response from OPTIONS says:

Access-Control-Allow-Origin: http://10.0.0.105:9294

后续的 GET 有:

Origin:http://10.0.0.105:9294

Chrome 说:

Origin http://10.0.0.105:9294 is not allowed by Access-Control-Allow-Origin

不是吗?

更多细节...

通过查看 Chrome 的开发者工具窗口，请求标头是:

By looking in Chrome's developer tools window, the request headers are:

OPTIONS /user/kris HTTP/1.1
Host: 10.0.0.104:8080
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://10.0.0.105:9294
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.75 Safari/537.1
Access-Control-Request-Headers: origin, x-requested-with, content-type, accept
Accept: */*
Referer: http://10.0.0.105:9294/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

响应头是:

HTTP/1.0 200 OK
Date: Mon, 13 Aug 2012 11:23:45 GMT
Server: WSGIServer/0.1 Python/2.7.3
Content-Length: 0
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD, OPTIONS
Access-Control-Max-Age: 10
Access-Control-Allow-Origin: http://10.0.0.105:9294
Access-Control-Allow-Headers: X-Requested-With, Authorization, X-Huzu-User, Content-Type, Accept
Content-Type: text/html; charset=UTF-8

在 jQuery 发送其 OPTIONS 请求并获得上述响应后，发生了 2 件奇怪的事情.OPTIONS 响应(即 200)在开发者控制台中显示为错误:

After jQuery sends its OPTIONS request and gets the above response, 2 odd things happen. The OPTIONS response (which is a 200) shows up in the developer console as an error:

OPTIONS http://10.0.0.104:8080/user/kris 200 (OK)

之后 GET 请求被拒绝.控制台报错:

After which a GET request is rejected. Error in the console:

XMLHttpRequest cannot load http://10.0.0.104:8080/user/kris. Origin http://10.0.0.105:9294 is not allowed by Access-Control-Allow-Origin.

我不明白为什么不这样做.我做错了什么?

I can't see why not. What am I doing wrong?

推荐答案

好的，我想我明白了.似乎有必要正确处理飞行前 OPTIONS 请求，但不足够跨站点资源请求正常工作.

OK, I think I've got it. It seems that proper handling of the pre-flight OPTIONS request is necessary, but NOT SUFFICIENT for cross-site resource requests to work.

在 OPTIONS 请求返回满意的标头后，对同一 URL 的任何后续请求的所有响应也必须具有必要的Access-Control-Allow-Origin"标头，否则浏览器会吞掉它们，它们甚至不会出现在调试器窗口中.

After the OPTIONS request comes back with satisfactory headers, all responses to any subsequent requests to the same URL also have to have the necessary "Access-Control-Allow-Origin" header, otherwise the browser will swallow them, and they won't even show up in the debugger window.

所以它会看起来由于 OPTIONS 响应中的一些问题，浏览器取消了请求，但实际上，浏览器正在查看来自真实请求的响应标头，然后拒绝它们.

So it will look like the browser cancelled the request because of some problem in the OPTIONS response, but actually, the browser is looking at the response headers from the real request and then rejecting them.

这篇关于Access-Control-Allow-Origin 标头不起作用 - 我做错了什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！