访问控制允许原产地：*不工作？ [英] Access-Control-Allow-Origin: * not working?

问题描述

经典原因...不允许Access-Control-Allow-Origin问题。两台机器为同一网站提供内容。当机器A通​​过jquery执行 $（'＃main'）。load（'link_to_resource_on_B'）时，机器B通过mod_python提供内容，添加 Access-Control-Allow-Origin：* 头。但由于某些原因，这仍然不工作。我在Chrome，Safari和Internet Explorer上测试了这项功能。我通过命令行测试检查响应头，看起来 Access-Control-Allow-Origin：* 在B的头中成功。

Classic "Origin ... is not allowed by Access-Control-Allow-Origin" problem. Two machines serve contents for the same website. When machine A does a $('#main').load('link_to_resource_on_B') via jquery, machine B serves up the content with mod_python, adding Access-Control-Allow-Origin: * header. But for some reason, this still does not work. I tested this on Chrome, Safari, and Internet Explorer. And I tested via command line to check the response header, it seems Access-Control-Allow-Origin: * is successfully in the header from B. See below. What could i be missing?

$ telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /tests/python/test/env HTTP/1.1
host: 10.0.1.10 

HTTP/1.1 200 OK
Date: Mon, 27 Feb 2012 02:05:33 GMT
Server: Apache/2.2.20 (Ubuntu)
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html

推荐答案

在响应中启用访问控制 - 允许原始标头是不够的。服务器端实施应提供对飞行前OPTIONS请求。特别是，必须在OPTIONS响应中设置以下HTTP标头：

Enabling Access-Control-Allow-Origin header in the response is not sufficient. Server side implementation should provide proper handling for pre-flight OPTIONS request. Particularly, following HTTP headers must be set in the OPTIONS response:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST

其他HTTP标头，

请注意

Have in mind that Access-Control-Allow-Origin: * HTTP header must be also set in the following GET & POST responses.

这篇关于访问控制允许原产地：*不工作？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！