如何使用授权头使GET CORS请求 [英] How to make GET CORS request with authorization header
问题描述
我正在阅读有关CORS请求的信息,并且我已经设法定期获取GET或POST请求,并且工作正常。但是当我将授权头添加到GET或POST请求时,则将预检OPTIONS请求发送到服务器,并获得500 INTERNAL SERVER ERR,并且不发送实际请求。我的问题是预检实际是如何工作的,需要什么响应才能发送主要请求?是否可以发送它没有预检,因为我确信,那么它会工作?
服务器是用Django 1.6编写的,ACCESS-ALLOW-ORIGIN设置为*,它可以正常发布和获取请求。
I was reading about CORS requests, and I have managed to make regular GET or POST request and it works fine. But when I add authorization header to a either GET or POST request, then the preflight OPTIONS request is sent to the server and I get 500 INTERNAL SERVER ERR, and the actual request isn't sent. My question is how does the preflight actually work, and what response does it require so that it will send the main request? And is it possible to send it without the preflight because I'm sure that then it would work? The serve-rside is written in Django 1.6 and has ACCESS-ALLOW-ORIGIN set to *, and it works with regular post and get requests.
是我的JS代码:
$.ajax({
type: "GET",
url: "http://url/login/",
async:false,
contentType: "application/json",
headers: {
"Authorization": "Basic " + btoa(loginName + ':' + password),
},
success: function (data) {
alert("OK!");
},
failure: function(errMsg) {
alert(errMsg);
}
});
这些是Chrome DevTools执行请求时的头文件:
请求标头:
These are the headers from Chrome DevTools when the request is executed: Request headers:
OPTIONS /login/ HTTP/1.1
Host: url
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Access-Control-Request-Headers: accept, authorization, content-type
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,hr;q=0.6,sr;q=0.4
回复标题:
HTTP/1.1 500 INTERNAL SERVER ERROR
Date: Thu, 31 Jul 2014 16:15:19 GMT
Server: Apache/2.2.15 (CentOS)
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Origin: *
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
推荐答案
要传递授权标题,您必须将 Access-Control-Allow-Credentials 设置为true。
To pass authorization headers you must set Access-Control-Allow-Credentials to true.
问题是,根据规范( MDN解释更简单),如果 Access-Control-Allow-Credentials 设置为true, Access-Control-Allow-Origin 不能包含 * ,因此允许任何主机发出带有凭据的请求。
The problem is that, according to specification (MDN explains it simpler), if Access-Control-Allow-Credentials is set to true, Access-Control-Allow-Origin cannot contain *, therefore allowing any hosts making requests with credentials attached.
有两个选项来解决此问题:
There are two options to solve this problem:
- 将
Access-Control-Allow-Origin设置为实际主机请求 - 如果有多个主机:规范的方式是在应用程序本身拥有主机的白名单,而不是检查
Origin标题,如果它在列出并将Origin添加为Access-Control-Allow-Origin头值。
- Set
Access-Control-Allow-Originto actual host making requests - If there are more than one host: "canonical" way would be to have a whitelist of hosts in application itself, than check
Originheader if it's on the list and addingOriginasAccess-Control-Allow-Originheader value.
使用Django,检查 Origin 并添加一个标题可以在中间件,但这将是一个体面的问题,它是自己的(可能已经被问到)
With Django, check for Origin and adding a header can be made in Middleware, but that would make a decent question on it's own (and probably have been already asked)
这篇关于如何使用授权头使GET CORS请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
