跨源资源共享（CORS）问题 [英] Cross Origin Resource Sharing (CORS) issue

问题描述

我们有一些web服务返回xml + atom响应。它们托管在SAP NetWeaver Gateway应用程序服务器上。他们需要BASIC认证才能访问它们。该响应包含以下头来支持CORS：

We have some web services returning xml+atom response. These are hosted on SAP NetWeaver Gateway application server. They require BASIC authentication to access them. The response contains the following headers to support CORS:

access-control-allow-origin: *
access-control-allow-methods: POST, GET, OPTIONS, PUT, DELETE, HEAD
access-control-allow-headers: Content-Type
access-control-max-age: 1728000

我们有一个HTML5应用程序，使用jquery调用服务，如下所示：

We have an HTML5 app which uses jquery to call the service as below:

var url = "http://mytesturl.com/test/";
    $.ajax({
        url: url,
        async: true,
        contentType:"application/atom+xml", 
        type: "GET",
        crossdomain: true,
        beforeSend: function (xhr) {
        xhr.setRequestHeader('Authorization', make_base_auth(uname, passwd));
        }
    })
            .done(function( data, textStatus, jqXHR ){alert("success");})
       .fail(function( jqXHR, textStatus, errorThrown ){
            console.log(jqXHR.status);
            alert(errorThrown + jqXHR.status);
        }); 

尽管服务器响应中包含头，我们继续得到CORS错误如下： p>

Despite the headers coming in the server response, we continue to get the CORS errors as below:

Failed to load resource: the server responded with a status of 401 (Unauthorized)
Failed to load resource: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8383' is therefore not allowed access.

用户名（uname）和密码（passwd）如果我尝试使用RestClient等工具调用服务，我可以看到响应中的标题。我已尝试在Chrome版本31.0和Safari版本6.0.5中测试。我不知道什么缺失。任何建议，以帮助解决这个问题将是巨大的。

The username (uname) and password (passwd) are correct. If I try calling the service using a tool like RestClient, I can see the headers in the response. I have tried testing in Chrome version 31.0 and Safari version 6.0.5. I am not sure what is missing. Any suggestions to help resolve the issue would be great.

感谢。

推荐答案

您似乎忘记了授权在允许的标头列表中的标头：

You seem to have forgotten to include the Authorization header in the list of allowed headers:

access-control-allow-headers: Content-Type, Authorization

您的客户端代码正在发送授权头（基本身份验证），因此服务器必须在CORS级别明确允许此操作。

Your client code is sending an Authorization header (the Basic authentication stuff), so the server must explicitly allow this at the CORS level.

用这些头来响应来自客户端的 OPTIONS 动词请求。

Also ensure that the server is actually responding with those headers for an OPTIONS verb request from the client.

这篇关于跨源资源共享（CORS）问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！