CORS和Access-Control-Allow-Headers如何工作? [英] How do CORS and Access-Control-Allow-Headers work?
问题描述
我正在尝试将CORS请求从domain.com发布到a.domain.com。
我的JavaScript看起来像这样
$('#fileupload' ).fileupload({
xhrFields:{
withCredentials:true
},
dataType:'json',
url:$('#fileupload')。data ('path'),
singleFileUploads:true,
add:function(e,data){
data.submit();
}
}
一开始我看到OPTIONS路由被这样调用:
请求网址:https://a.domain.com/some/route
请求方法:选项
状态代码:200 OK
选项请求:
访问控制请求标头:origin,content-type,accept
访问控制请求方法:POST
主机:a.domain.com
原产地:http://domain.com:3000
Referer:http://domain.com:3000 / home
OPTIONS RESPONSE
Access-Control-凭证:true
Access-Control-Allow-Methods:POST
Access-Control-Allow-Origin:http://domain.com:3000
Connection:keep-alive
Content-Length:0
Content-Type:text / html; charset = utf-8
该请求返回一个200如所述。在我的服务器上,我有相同的路由与 POST
方法,这是我得到的回报后 OPTIONS
/ p>
请求网址:https://a.domain.com/some/route
POST REQUEST
Content-Type:multipart / form-data; boundary = ---- WebKitFormBoundaryjwr5Pk7WBcfzMdbO
原产地:http://domain.com:3000
Referer:http://domain.com:3000 / home
并且
POST
请求被取消/失败。
我的问题是,我需要在POST控制器上具有access-control-allow-origin吗?
我有一个具有域
.domain.com
的Cookie,可以在请求中发送过一次并且不会立即发送。任何想法为什么会发生?解决方案是的,您需要有
Access-Control-Allow-Origin:http: /domain.com:3000
或Access-Control-Allow-Origin:*
。您应该在POST响应中包含标头Access-Control-Allow-Credentials:true
。
OPTIONS响应还应包含标头
Access-Control-Allow-Headers:origin,content-type,accept
以匹配所请求的标头。I'm trying to make CORS request POST from domain.com to a.domain.com.
My javascript looks like this
$('#fileupload').fileupload({ xhrFields: { withCredentials: true }, dataType: 'json', url: $('#fileupload').data('path'), singleFileUploads: true, add: function(e, data){ data.submit(); } });
At first I see the OPTIONS route being called like so:
Request URL: https://a.domain.com/some/route Request Method:OPTIONS Status Code:200 OK
OPTIONS REQUEST:
Access-Control-Request-Headers:origin, content-type, accept Access-Control-Request-Method:POST Host:a.domain.com Origin:http://domain.com:3000 Referer:http://domain.com:3000/home
OPTIONS RESPONSE
Access-Control-Allow-Credentials:true Access-Control-Allow-Methods:POST Access-Control-Allow-Origin:http://domain.com:3000 Connection:keep-alive Content-Length:0 Content-Type:text/html;charset=utf-8
That request comes back with a 200 like stated. On my server, I have the same route with
POST
method and this is what I get in return after theOPTIONS
Request URL:https://a.domain.com/some/route
POST REQUEST
Content-Type:multipart/form-data; boundary=----WebKitFormBoundaryjwr5Pk7WBcfzMdbO Origin:http://domain.com:3000 Referer:http://domain.com:3000/home
and the
POST
request gets canceled/fails.My question is, do I need to have the access-control-allow-origin on the POST controller as well?
I have a cookie for authorization that has domain
.domain.com
that cookie got sent across once in a request and it's not being sent now. Any idea why that would happen?解决方案Yes, you need to have the header
Access-Control-Allow-Origin: http://domain.com:3000
orAccess-Control-Allow-Origin: *
on both the OPTIONS response and the POST response. You should include the headerAccess-Control-Allow-Credentials: true
on the POST response as well.Your OPTIONS response should also include the header
Access-Control-Allow-Headers: origin, content-type, accept
to match the requested header.这篇关于CORS和Access-Control-Allow-Headers如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!