利用跨域资源共享，没有得到数据传回跨域POST查询 [英] Cross domain POST query using Cross-Origin Resource Sharing getting no data back

问题描述

我通过一个POST请求发送数据的跨域但响应不工作，具体而言，jQuery的成功处理程序不会被调用。

东西被使用。Django的，阿帕奇，jQuery的

所以，我设置了一个请求，而类似这样的：

  $。阿贾克斯（{
    网址：http://somesite.com/someplace
    键入：POST，
    缓存：假的，
    数据类型：JSON，
    数据： { ... }，
    成功：函数（MSG）{
        警报（味精）;
    }，
}）;
 

正如你所知， CORS 让我可以回应一个选项查询恰当地说：是的，你可以张贴到我。其中我在干什么。萤火虫证实我得到我的 200 状态code和返回类型实际上是在应用程序/ JSON 。然而，萤火虫也证实，成功处理了上面的没有的调用。

作为参考，我的回应选项是：

  ELIF request.method ==选项：
    响应= Htt的presponse（）
    响应['访问控制 - 允许 - 产地'] =*
    响应['访问控制 - 允许 - 方法'] =POST，GET，OPTIONS
    响应['访问控制，允许报头'] =X-要求，用
    返回响应
 

在此相反，如果我成立了一个完成：功能（）... 处理它的工作原理

所以，问题是：发生了什么事（或没有），为什么？我得到的数据很好，我只是希望能够返回的响应。

---

更新：此解决我的问题在某些浏览器，但因为我没有一个完整明确的解释，这种行为我要离开它打开的

好了，我看手册什么，我理解它，应用算法大致是这样的：

1. 在用户端可以实现preflight电话。这是选项请求。我们的想法是，他们提出这一要求这使他们相对于所请求的资源，它们然后应该缓存一个答案。 我不传回一个最大年龄字段，所以我怀疑，同时成功返回，而X-请求允许的，没有什么在允许我以使其用户代理的缓存，因此默认规则（隔离请求）的应用。
2. 当你实际的要求，我相信用户代理应该检查pre-飞行缓存的权限。没有我的最大年龄现场，我相信这是没有找到这些权限。然而，在 POST 相同的标题回应似乎让Firefox和谷歌浏览器来查看响应。歌剧不能。 IE浏览器还有待验证的时刻。

我目前不明白，这是不明确从手动（至少对我来说）是否CORS请求应该也与这些头的要求以及对选项回答。我将尝试与最大年龄头，看看，允许或不允许。不过，我还是短了一些明确的权威的理解上的问题，所以如果有人在这里谁知道，我所有的耳朵。

解决方案

好了，我相信做事情的正确方法是这样的：

 如果request.method ==POST：
    响应= Htt的presponse（simplejson.dumps（数据），MIMETYPE =应用/ JSON）
    响应['访问控制 - 允许 - 产地'] =*
    返回响应
ELIF request.method ==选项：
    响应= Htt的presponse（）
    响应['访问控制 - 允许 - 产地'] =*
    响应['访问控制 - 允许 - 方法'] =POST，选项
    响应['访问控制，允许报头'] =X-要求，用
    响应['访问控制，最大年龄'] =1800
其他：
    返回的Htt presponseBadRequest（）
 

这是基于文档，我挖了来自Mozilla的在preflighted请求。

所以，我相信会发生是这样的：

1. 如果没有什么在preflight缓存，选项与发送X-要求 - 以集以 XMLHtt prequest 我相信这是必要的，以允许通过Javascript访问什么，以及一个原产地头。
2. 在服务器可以检查信息。 即CORS 的安全。就我而言，我回答了任何来源将做和你是允许发送 X-要求 - 以的事情。我是说，选项和 POST 是允许的，这种反应可以被缓存30分钟。
3. 在客户端然后向前走，使POST，这是工作之前。
4. 我修改了响应原本包括允许-方法和允许-标题，但根据在交流上面链接的文档，这是没有必要的。这是有意义的，所述访问检查已经完成。
5. 我相信那么会发生什么是这里描述的资源共享检查。基本上，一旦所述请求已作出，浏览器再次检查允许 - 原产地字段的有效性，这是对的要求，如 POST 。如果此通过，客户机可以访问到的数据，如果没有，该请求已经完成，但浏览器拒绝的实际客户端应用程序（Java脚本）访问这些数据。

我相信这是正在发生的事情在一个正确的总结，并在任何情况下，它似乎工作。如果我不对，请喊。

I'm sending data cross domain via a POST request but the response isn't working, specifically, jQuery's success handler never gets called.

Stuff being used: Django, Apache, jQuery.

So, I set up a request rather similar to this:

$.ajax({
    url: "http://somesite.com/someplace",
    type: "POST",
    cache: false,
    dataType: "json",
    data: { ... },
    success: function( msg ) {
        alert(msg);
    },
});

As you well know, CORS allows me to respond to an OPTIONS query appropriately to say "Yes, you can POST to me". Which I'm doing. Firebug confirms I'm getting my 200 status code and that the return type is in fact application/json. However, Firebug also confirms that the success handler in the above is not being called.

For reference, my response to OPTIONS is:

elif request.method == "OPTIONS":
    response = HttpResponse("")
    response['Access-Control-Allow-Origin'] = "*"
    response['Access-Control-Allow-Methods'] = "POST, GET, OPTIONS"
    response['Access-Control-Allow-Headers'] = "X-Requested-With"
    return response

In contrast, if I set up a complete: function()... handler it works.

So, question is: what's happening (or not) and why? I am getting data fine, I'd just like to be able to return the response.

---

Update: This fixes my issue on some browsers but since I don't have a complete definite explanation to this behaviour I'm leaving it open.

Ok, so I read the manual and what I understand of it, the algorithm applied is roughly this:

1. User agents may implement a preflight call. This is the OPTIONS request. The idea is that they make this request which gives them an answer with respect to the requested resource, which they are then supposed to cache. I'm not passing back a max-age field, so I suspect whilst success is being returned and the X-request allowed, there is nothing in the user agent's cache which permitted me to make it, so the default rules (isolate the request) are applied.
2. When you make the actual request, I believe the user agent is supposed to inspect the pre-flight cache for permissions. Without my max-age field, I believe it isn't finding these permissions. However, responding with the same headers on POST appears to allow Firefox and Google Chrome to view the response. Opera can not. IE remains untested at the moment.

I do not currently understand and it is not clear from the manual (to me at least) whether a CORS request should also answer with these headers in the request as well as the OPTIONS. I shall experiment with the Max-Age header and see what that allows or does not allow. However, I'm still short of some definite authoritative understanding on the issue so if there is someone on here who knows, I'm all ears.

解决方案

Ok, so I believe the correct way to do things is this:

if request.method == "POST":
    response = HttpResponse(simplejson.dumps(data),mimetype='application/json')
    response['Access-Control-Allow-Origin'] = "*"
    return response
elif request.method == "OPTIONS":
    response = HttpResponse("")
    response['Access-Control-Allow-Origin'] = "*"
    response['Access-Control-Allow-Methods'] = "POST, OPTIONS"
    response['Access-Control-Allow-Headers'] = "X-Requested-With"
    response['Access-Control-Max-Age'] = "1800"
else:
    return HttpResponseBadRequest()

This is based on the documentation I dug up from Mozilla on preflighted requests.

So, what I believe will happen is this:

1. If there's nothing in the preflight cache, OPTIONS is sent with X-Requested-With set to XMLHttpRequest I believe this is necessary to allow Javascript access to anything, along with an Origin header.
2. The server can examine that information. That is the security of CORS. In my case, I'm responding with "any origin will do" and "you're allowed to send the X-Requested-With thing". I'm saying that OPTIONS and POST are allowed and that this response should be cached for 30 mins.
3. The client then goes ahead and makes the POST, which was working before.
4. I modified the response originally to include Allow-Methods and Allow-Headers but according to the exchange in the above linked documentation this isn't needed. This makes sense, the access check has already been done.
5. I believe then that what happens is the resource sharing check described here. Basically, once said request has been made, the browser again checks the Allow-Origin field for validity, this being on the request such as POST. If this passes, the client can have access to the data, if not, the request has already completed but the browser denies the actual client side application (Javascript) access to that data.

I believe that is a correct summary of what is going on and in any case it appears to work. If I'm not right, please shout.

这篇关于利用跨域资源共享，没有得到数据传回跨域POST查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！