HTTP头设置授权头停止加载数据 [英] HTTP Headers setting Authorization header stops data from loading

问题描述

我使用Ember.js，Ember Simple Auth插件和jQuery使用ajax发送授权头域交叉域。当设置 Authorization 标题时：

I'm using Ember.js, Ember Simple Auth plugin and jQuery to send an Authorization header cross domain using ajax. When the Authorization header is set:

jqXHR.setRequestHeader('Authorization', 'Bearer ' + session.get('authToken'));

然后我得到一个飞行前 OPTIONS 请求到REST URL，然后我返回以下头：

Then I get a pre-flight OPTIONS request to the REST URL which I then return back the following headers:

$headers->set('Access-Control-Allow-Origin', 'http://subdomain2.domain.com');
$headers->set('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
$headers->set('Access-Control-Allow-Headers', 'Content-Type, Authorization, Accept');
$headers->set('Access-Control-Max-Age', 10);
$headers->set('Content-Length', 0);

在Chrome网络监视器中，此 OPTIONS 请求返回成功。然后当GET请求在预运行 OPTIONS 请求之后， GET 请求刚刚挂起或至少说（挂起）在网络监视器中：

In Chrome Network monitor, this OPTIONS request returns successful. Then when the GET request comes after the pre-flight OPTIONS request, the GET request just hangs or at least says (pending) in network monitor:

如果我在几秒钟后刷新页面，页面将显示，但它不是在选项调用后立即显示。

If I refresh the page a couple of seconds later the page will show, but it just doesn't show immediately after the OPTIONS call.

Max-Age 头，并增加缓存时间，然后我可以刷新多次，然后再次发送 OPTIONS 调用，这意味着页面将显示精细。只有在 OPTIONS 调用后立即出现 GET 时才会挂起。

When I play with the Access-Control-Max-Age header and increase the cache time, then I can refresh many times before it sends the OPTIONS call again which means the page will show just fine. It's only when the OPTIONS call comes with the GET immediately after does it hang.

当我在浏览器中直接加载网址时，会显示JSON数据。即使我使用Chrome扩展Postman并手动设置授权标题与jQuery请求相同，它仍然加载数据很好（虽然我不认为Postman模拟跨域请求）。

When I load the url directly in the browser it displays the JSON data just fine. Even when I use the Chrome extension Postman and manually set the Authorization header the same as the jQuery request, it still loads the data just fine (although I don't think Postman simulates cross domain requests).

任何想法为什么 GET 请求仍然待处理，并且不返回任何错误或标题？

Any idea why the GET request remains pending and doesn't return any errors or headers?

推荐答案

不太确定问题在这里。看起来你正在跑步。类似于此：跨源'授权'头与jquery.ajax（）

Not really sure what the problem is here. Looks like you're running into sth. similar to this: cross-origin 'Authorization'-header with jquery.ajax()

此外，您是否更改了Ember.SimpleAuth代码中的任何内容？因为默认情况下，出于安全原因它不应该在跨域请求中包含令牌...

Also, did you change anything in the Ember.SimpleAuth code? Because by default it shouldn't include the token in cross domain requests for security reasons...

您可能还想在jQuery中查看这个已知的问题： jQuery：发送带有跨域帖子的凭据还涉及跨域发送授权标头。

You might also want to look at this known problem in jQuery: jQuery: sending credentials with cross-domain posts? that also relates to sending the Authorization header cross-domain.

我将研究Ember.SimpleAuth如何在这种情况下帮助。

I'll look into how Ember.SimpleAuth could maybe help in this scenario.

这篇关于HTTP头设置授权头停止加载数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！