CORS Access-Control-Allow-Origin尽管有正确的头 [英] CORS Access-Control-Allow-Origin despite correct headers

问题描述

我试图在客户端和apache服务的python（django）服务器上使用jQuery（1.7.1）供电ajax设置简单的跨源资源共享。根据所有的说明我已经读我的标题设置正确，但我不断得到以下错误：

XMLHttpRequest无法加载 http://myexternaldomain.com/get_data 。
来源 http：// localhost：8080 不允许通过
Access-Control-Allow-Origin 。

我想要的标题（我不知道它是否通过浏览器）send is：

 请求URL：http：//myexternaldomain.com/get_data 
接受：application / json，text / javascript，* / ; q = 0.01 
原产地：http：// localhost：8080 
 Referer：http：// localhost：8080 / static / js / test-zetta.html 
 User-Agent：Mozilla / 5.0 （Macintosh; Intel Mac OS X 10_6_8）AppleWebKit / 535.11（KHTML，like Gecko）Chrome / 17.0.963.66 Safari / 535.11 
  

JavaScript代码

  var request = $ .ajax（{
 url：http： //myexternaldomain.com/get_data，
 type：POST，
 dataType：json，
 crossDomain：true 
}）; 
  

请注意， origin 设置正确。服务器使用以下python代码添加标题 Access-Control-Allow-Origin = *

  def process_response（self，response）：
 if response.has_header（'Access-Control-Allow-Origin'）：
返回响应
 
响应[ 'access-Control-Allow-Origin'] ='*'
返回响应
 
 def get_orders（请求）：
告诉工作人员 b $ b response_data = {} 
 response_data ['action'] ='probe'
 response = process_response（HttpResponse（json.dumps（response_data），mimetype =application / json））
返回响应
  

如果我直接访问地址，似乎确认标题设置正确

  Access-Control-Allow-Origin：* 
 Content-Type：application / json 
 Date： Thu，08 Mar 2012 05:06:25 GMT 
服务器：Apache / 2.2.20（Ubuntu）
传输编码：chunked 
  

但是在跨域设置它总是失败（尝试chrome和firefox）。我已经尝试实现代码完全按照选择的答案此问题，但得到相同的错误

更新 b

我相当肯定的问题是服务器端，因为我已经设法使我的ajax调用与不同的公共CORS启用服务器。当我比较从这个公共服务器返回的头和从我返回的头（当我从同一个域测试时），我看不到任何可能导致差异的主要区别（见下文）。

我排除的一个细微之处，可能或可能很重要的是实际的域是多个子域的亚马逊域。 真实地址是 http：// ec2-23-20-27-108.compute-1.amazonaws.com/get_orders ，随时探索它，看看我做错了什么。

从公共服务器

 访问控制允许原产地：* 
连接：Keep-Alive 
 Content-Encoding：gzip 
 Content-Length：622 
 Content-Type：text / html 
日期：Thu，08 Mar 2012 15:33:20 GMT 
 Keep-Alive：timeout = 15，max = 99 
服务器：Apache / 2.2.14（Ubuntu）
 Vary：Accept-Encoding 
 X-Powered- By：Perl / 5.8.7，PHP / 4.4.0 
  

从我的服务器 - ）

  Access-Control-Allow-Origin：* 
 Content-Encoding：gzip 
 Content-Type：text / plain 
日期：Thu，08 Mar 2012 15:32:24 GMT 
服务器：Apache / 2.2.20（Ubuntu）
传输编码：chunked 
 Vary：Accept-Encoding 
  

解决方案

事实上，问题是，当做ajax请求，我得到一个403（只显示在firefox不chrome）错误，由于csrf保护。

I am trying to set up simple Cross-Origin Resource Sharing using jQuery (1.7.1) powered ajax on the client and apache served python (django) server. According to all the instructions I have read my headers are set correctly, but I keep getting the following error:

XMLHttpRequest cannot load http://myexternaldomain.com/get_data. Origin http://localhost:8080 is not allowed by Access-Control-Allow-Origin.

The header being I am trying to (I am not sure it is even getting past the browser) send is:

Request URL:http://myexternaldomain.com/get_data
Accept:application/json, text/javascript, */*; q=0.01
Origin:http://localhost:8080
Referer:http://localhost:8080/static/js/test-zetta.html
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.66 Safari/535.11

The javascript code is

    var request = $.ajax({
        url : "http://myexternaldomain.com/get_data",
        type : "POST",
        dataType : "json",
        crossDomain : true
    });

Note that origin is set correctly. The server adds the header Access-Control-Allow-Origin = * using the following python code

def process_response(self, response):
    if response.has_header('Access-Control-Allow-Origin'):
            return response

    response['Access-Control-Allow-Origin'] = '*'
    return response

def get_orders(request):
    """ Tell worker what to do """
    response_data = {}
    response_data['action'] = 'probe'
    response = process_response(HttpResponse(json.dumps(response_data), mimetype="application/json"))
    return response

If I visit the address directly, it appears to confirm that the header is being set correctly

Access-Control-Allow-Origin:*
Content-Type:application/json
Date:Thu, 08 Mar 2012 05:06:25 GMT
Server:Apache/2.2.20 (Ubuntu)
Transfer-Encoding:chunked

However in the cross domain setting it always fails (tried both chrome and firefox). I've tried implementing the code exactly as per the selected answer to this question, but get the same error

Update

I am quite sure that the problem is server side, as I have managed to get my ajax calls working with a different public CORS enabled server. When I compare the headers coming back from this public server, and the ones returned from mine (when I test from same domain), I cannot see any major difference which could account for difference (see below).

One subtlety that I excluded, which may or may be important is that the actual domain is an amazon domain of multiple subdomains. The real address is http://ec2-23-20-27-108.compute-1.amazonaws.com/get_orders , feel free to probe it to see what I am doing wrong.

From Public server

Access-Control-Allow-Origin:*
Connection:Keep-Alive
Content-Encoding:gzip
Content-Length:622
Content-Type:text/html
Date:Thu, 08 Mar 2012 15:33:20 GMT
Keep-Alive:timeout=15, max=99
Server:Apache/2.2.14 (Ubuntu)
Vary:Accept-Encoding
X-Powered-By:Perl/5.8.7, PHP/4.4.0

From my server - (not working cross domain)

Access-Control-Allow-Origin:*
Content-Encoding:gzip
Content-Type:text/plain
Date:Thu, 08 Mar 2012 15:32:24 GMT
Server:Apache/2.2.20 (Ubuntu)
Transfer-Encoding:chunked
Vary:Accept-Encoding

解决方案

So I was being mislead by the response from going to the URL, and in fact the problem was that when doing the ajax request, I was getting a 403 (only revealed in firefox not chrome) error due to csrf protection.

这篇关于CORS Access-Control-Allow-Origin尽管有正确的头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！