如何使GET CORS请求与授权头 [英] How to make GET CORS request with authorization header
问题描述
我正在阅读关于CORS请求,我已经设法定期GET或POST请求,它工作正常。但是当我将授权头添加到GET或POST请求时,则将预检OPTIONS请求发送到服务器,并且我获得500 INTERNAL SERVER ERR,并且不发送实际请求。我的问题是预检实际上如何工作,它需要什么响应,以便它将发送主要请求?是否可以发送它没有预检,因为我相信,那么它会工作?
服务器是用Django 1.6编写的,并且ACCESS-ALLOW-ORIGIN设置为*,并且它可以处理正常的post和get请求。
I was reading about CORS requests, and I have managed to make regular GET or POST request and it works fine. But when I add authorization header to a either GET or POST request, then the preflight OPTIONS request is sent to the server and I get 500 INTERNAL SERVER ERR, and the actual request isn't sent. My question is how does the preflight actually work, and what response does it require so that it will send the main request? And is it possible to send it without the preflight because I'm sure that then it would work? The serve-rside is written in Django 1.6 and has ACCESS-ALLOW-ORIGIN set to *, and it works with regular post and get requests.
是我的JS代码:
$.ajax({
type: "GET",
url: "http://url/login/",
async:false,
contentType: "application/json",
headers: {
"Authorization": "Basic " + btoa(loginName + ':' + password),
},
success: function (data) {
alert("OK!");
},
failure: function(errMsg) {
alert(errMsg);
}
});
这些是执行请求时来自Chrome DevTools的标头:
请求标头:
These are the headers from Chrome DevTools when the request is executed: Request headers:
OPTIONS /login/ HTTP/1.1
Host: url
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Access-Control-Request-Headers: accept, authorization, content-type
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,hr;q=0.6,sr;q=0.4
响应标头:
HTTP/1.1 500 INTERNAL SERVER ERROR
Date: Thu, 31 Jul 2014 16:15:19 GMT
Server: Apache/2.2.15 (CentOS)
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: *
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
推荐答案
将 Access-Control-Allow-Credentials 设置为true。
问题是,根据规范href =https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_Cors#Access-Control-Allow-Origin =nofollow> MDN解释更简单),如果 Access-Control-Allow-Credentials 设置为true, Access-Control-Allow-Origin 不能包含<$ c
The problem is that, according to specification (MDN explains it simpler), if Access-Control-Allow-Credentials is set to true, Access-Control-Allow-Origin cannot contain *, therefore allowing any hosts making requests with credentials attached.
有两个选项可以解决这个问题:
There are two options to solve this problem:
- 将
Access-Control-Allow-Origin设置为实际的主机发出请求 - 如果有多个主机:canonical的方式是在应用程序本身拥有主机的白名单,比检查
Origin列表并将原始添加为访问控制允许原始标题值。
- Set
Access-Control-Allow-Originto actual host making requests - If there are more than one host: "canonical" way would be to have a whitelist of hosts in application itself, than check
Originheader if it's on the list and addingOriginasAccess-Control-Allow-Originheader value.
使用Django,检查 Origin ,并在中间件中添加一个标题, (和可能已经问过)
With Django, check for Origin and adding a header can be made in Middleware, but that would make a decent question on it's own (and probably have been already asked)
这篇关于如何使GET CORS请求与授权头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
