Ajax请求头字段访问控制允许头不允许键 [英] Ajax Request header field Key is not allowed by Access-Control-Allow-Headers

问题描述

尝试构建DNN服务框架WebAPI，但我无法使用CORS。我有所有适当的标题（我认为），但它仍然不工作。

Trying to build a DNN Service Framework WebAPI but I'm having trouble consuming it with CORS. I have all of the appropriate headers (I think) but it still doesn't seem to be working.

错误：

XMLHttpRequest cannot load http://www.dnndev.me/mysite/builder/API/echo?message=Hello+World&_=1412707749275. Request header field Key is not allowed by Access-Control-Allow-Headers.

请求标题：

Remote Address: 127.0.0.1:80
URL: http://www.dnndev.me/mysite/builder/API/echo?message=Hello
Request Method: OPTIONS
Status Code: 200 OK
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Access-Control-Request-Headers: accept, key
Access-Control-Request-Method: GET
Connection: keep-alive
Host: www.dnndev.me
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36

响应标题：

Access-Control-All-Headers: Origin, X-Requested-With, Content-Type, Accept, Key
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Cache-Control: no-cache
Content-Length: 13
Content-Type: application/json; charset=utf-8
Date: Tue, 07 Oct 2014 18:49:10 GMT
Expires: -1
Pragma: no-cache
Server: Microsoft-IIS/7.5

一般来说，此错误是由于在Access-Control-All-标题。但是，我发送正确的响应，以允许ajax继续其请求。它只是拒绝。

Generally, this error would be caused by not having the appropriate header in 'Access-Control-All-Headers'. However, I am sending the correct response to allow ajax to continue with its request. It simply refuses to.

这是我的ajax调用的方法：

Here is my ajax call to the method:

$.ajax({
    type: 'GET',
    url: 'http://www.dnndev.me/mysite/builder/API/echo',
    dataType: 'json',
    data: { message: 'Hello' },
    crossDomain: true,
    headers: { 'Key': 'Bearer 7680ff6e-1362-4236-a9cd-c6bc8b6f13ea' },
    success: function (result) { console.log(result); }
});

可能很明显，但这只会发生在跨网域请求上，只有当我包含自定义标题

Probably obvious, but this only happens on cross domain requests and only when I include the custom header (therefore procing ajax to do an OPTIONS).

推荐答案

您的服务器使用以下自定义标头响应预检请求：

Your server responds with the following custom header to the preflight request:

Access-Control-All-Headers: Origin, X-Requested-With, Content-Type, Accept, Key

如果你（或写这个服务器的人）仔细阅读CORS，他应该回答：

whereas if you (or the person who wrote this server) read carefully about CORS he should have responded with:

Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Key

现在客户端客户端可以使用 Key 自定义标头。

Now the client client could go ahead and use the Key custom header.

这就是说，承载是相当具体的OAuth 2，发送整个授权头。使用键似乎是一个可怕的违反RFC和东西，以及一个轮子的改造。

This being said, Bearer is quite specific to OAuth 2 which is sent throughout the Authorization header. Using Key seems like a terrible violation of RFCs and stuff and a wheel reinvention kinda.

这篇关于Ajax请求头字段访问控制允许头不允许键的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！