HTTP头设置授权头阻止数据加载 [英] HTTP Headers setting Authorization header stops data from loading

查看:240
本文介绍了HTTP头设置授权头阻止数据加载的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用Ember.js,Ember Simple Auth插件和jQuery,使用ajax发送一个授权头域跨域。设置授权标头时:

I'm using Ember.js, Ember Simple Auth plugin and jQuery to send an Authorization header cross domain using ajax. When the Authorization header is set:

jqXHR.setRequestHeader('Authorization', 'Bearer ' + session.get('authToken'));

然后我得到一个飞行前选项请求REST URL,然后我返回以下标题:

Then I get a pre-flight OPTIONS request to the REST URL which I then return back the following headers:

$headers->set('Access-Control-Allow-Origin', 'http://subdomain2.domain.com');
$headers->set('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
$headers->set('Access-Control-Allow-Headers', 'Content-Type, Authorization, Accept');
$headers->set('Access-Control-Max-Age', 10);
$headers->set('Content-Length', 0);

在Chrome网络监视器中,此选项请求返回成功。然后,当GET请求在飞行前 OPTIONS 请求之后, GET 请求挂起或至少说(pending)在网络监视器中:

In Chrome Network monitor, this OPTIONS request returns successful. Then when the GET request comes after the pre-flight OPTIONS request, the GET request just hangs or at least says (pending) in network monitor:

如果我几秒钟后刷新页面,页面将显示,但它不会在 OPTIONS 呼叫之后立即显示。

If I refresh the page a couple of seconds later the page will show, but it just doesn't show immediately after the OPTIONS call.

当我玩 Access-Control- Max-Age 头文件并增加缓存时间,然后我可以刷新多次,然后再次发送 OPTIONS ,这意味着该页面将只显示精细。只有当$ code> OPTIONS 调用后才会挂起 GET

When I play with the Access-Control-Max-Age header and increase the cache time, then I can refresh many times before it sends the OPTIONS call again which means the page will show just fine. It's only when the OPTIONS call comes with the GET immediately after does it hang.

当我直接在浏览器中加载网址时,它会显示JSON数据。即使我使用Chrome扩展程序Postman,并手动将授权标头设置为与jQuery请求相同,仍然会加载数据正常(尽管我不认为Postman模拟交叉域请求)。

When I load the url directly in the browser it displays the JSON data just fine. Even when I use the Chrome extension Postman and manually set the Authorization header the same as the jQuery request, it still loads the data just fine (although I don't think Postman simulates cross domain requests).

任何想法,为什么 GET 请求仍然未决,并且不返回任何错误或标题?

Any idea why the GET request remains pending and doesn't return any errors or headers?

推荐答案

不确定问题在这里。看起来你跑到了与此类似:与jquery.ajax()的跨原始授权标题

Not really sure what the problem is here. Looks like you're running into sth. similar to this: cross-origin 'Authorization'-header with jquery.ajax()

此外,您是否更改了Ember.SimpleAuth代码中的任何内容?因为默认情况下,出于安全原因,它不应该在跨域请求中包含令牌...

Also, did you change anything in the Ember.SimpleAuth code? Because by default it shouldn't include the token in cross domain requests for security reasons...

您可能还想查看jQuery中的这个已知问题:发送跨网域帖子的凭据,这也涉及发送授权头文件跨域。

You might also want to look at this known problem in jQuery: Sending credentials with cross-domain posts? that also relates to sending the Authorization header cross-domain.

我将研究Ember.SimpleAuth在这种情况下可能如何帮助。

I'll look into how Ember.SimpleAuth could maybe help in this scenario.

这篇关于HTTP头设置授权头阻止数据加载的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆