Ajax请求头字段访问控制允许头不允许键 [英] Ajax Request header field Key is not allowed by Access-Control-Allow-Headers
问题描述
尝试构建DNN服务框架WebAPI,但我无法使用CORS。我有所有适当的标题(我认为),但它仍然不工作。
Trying to build a DNN Service Framework WebAPI but I'm having trouble consuming it with CORS. I have all of the appropriate headers (I think) but it still doesn't seem to be working.
错误:
XMLHttpRequest cannot load http://www.dnndev.me/mysite/builder/API/echo?message=Hello+World&_=1412707749275. Request header field Key is not allowed by Access-Control-Allow-Headers.
请求标题:
Remote Address: 127.0.0.1:80
URL: http://www.dnndev.me/mysite/builder/API/echo?message=Hello
Request Method: OPTIONS
Status Code: 200 OK
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Access-Control-Request-Headers: accept, key
Access-Control-Request-Method: GET
Connection: keep-alive
Host: www.dnndev.me
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
响应标题:
Access-Control-All-Headers: Origin, X-Requested-With, Content-Type, Accept, Key
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Cache-Control: no-cache
Content-Length: 13
Content-Type: application/json; charset=utf-8
Date: Tue, 07 Oct 2014 18:49:10 GMT
Expires: -1
Pragma: no-cache
Server: Microsoft-IIS/7.5
一般来说,此错误是由于在Access-Control-All-标题。但是,我发送正确的响应,以允许ajax继续其请求。它只是拒绝。
Generally, this error would be caused by not having the appropriate header in 'Access-Control-All-Headers'. However, I am sending the correct response to allow ajax to continue with its request. It simply refuses to.
这是我的ajax调用的方法:
Here is my ajax call to the method:
$.ajax({
type: 'GET',
url: 'http://www.dnndev.me/mysite/builder/API/echo',
dataType: 'json',
data: { message: 'Hello' },
crossDomain: true,
headers: { 'Key': 'Bearer 7680ff6e-1362-4236-a9cd-c6bc8b6f13ea' },
success: function (result) { console.log(result); }
});
可能很明显,但这只会发生在跨网域请求上,只有当我包含自定义标题
Probably obvious, but this only happens on cross domain requests and only when I include the custom header (therefore procing ajax to do an OPTIONS).
推荐答案
您的服务器使用以下自定义标头响应预检请求:
Your server responds with the following custom header to the preflight request:
Access-Control-All-Headers: Origin, X-Requested-With, Content-Type, Accept, Key
如果你(或写这个服务器的人)仔细阅读CORS,他应该回答:
whereas if you (or the person who wrote this server) read carefully about CORS he should have responded with:
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Key
现在客户端客户端可以使用 Key
自定义标头。
Now the client client could go ahead and use the Key
custom header.
这就是说,承载
是相当具体的OAuth 2,发送整个授权
头。使用键
似乎是一个可怕的违反RFC和东西,以及一个轮子的改造。
This being said, Bearer
is quite specific to OAuth 2 which is sent throughout the Authorization
header. Using Key
seems like a terrible violation of RFCs and stuff and a wheel reinvention kinda.
这篇关于Ajax请求头字段访问控制允许头不允许键的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!