There is no point of wrapping up header statements enabling CORS in your API with those conditions you have.

使用您拥有的条件在 API 中启用 CORS 的头语句是没有意义的。

Right now it would set headers only if the REQUEST_METHOD is OPTIONS and HTTP_ACCESS_CONTROL_REQUEST_METHOD is either GET or POST, but your request wont comply to this.

现在它只会在 REQUEST_METHOD 是 OPTIONS 并且 HTTP_ACCESS_CONTROL_REQUEST_METHOD 是 GET 或 POST 时设置标头，但您的请求不会遵守这一点。

So replace

所以更换

if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
    // return only the headers and not the content
    // only allow CORS if we're doing a GET - i.e. no saving for now.
    if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'])) {
        if($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'] == 'GET' || $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD'] == 'POST') {
            header('Access-Control-Allow-Origin: *');
            header('Access-Control-Allow-Headers: X-Requested-With, X-authentication,Content-Type, X-client');
        }
    }
    exit;
}

from your code with

从你的代码中

header('Access-Control-Allow-Origin: *');

header('Access-Control-Allow-Methods: GET, POST, OPTIONS');

header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With');

PS:Unless you have a server variable set as HTTP_ACCESS_CONTROL_REQUEST_METHOD, change it to REQUEST_METHOD

PS：除非您将服务器变量设置为 HTTP_ACCESS_CONTROL_REQUEST_METHOD，否则将其更改为 REQUEST_METHOD

For Slim Framework 2.4 Version I did a small hack to tackle the Preflight OPTIONS request

对于 Slim Framework 2.4 版本，我做了一个小技巧来解决 Preflight OPTIONS 请求

\Slim\Slim::registerAutoloader();

$app = new \Slim\Slim();

if($app->request->isOptions()) {
   return true;
   break;
}

$app->post('/authenticate', 'authenticateUser');

$app->run();

So this will track all OPTIONS requests and return true and it worked for me.

所以这将跟踪所有 OPTIONS 请求并返回 true 并且它对我有用。

My .htaccess file was like as follows

我的 .htaccess 文件如下

Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "X-Requested-With, Content-Type, Accept, Origin, Authorization"
Header add Access-Control-Allow-Methods "GET, POST, OPTIONS"

Hope this helps.

希望这可以帮助。

I was having the same issue while working on an ionic hybrid mobile application. I added the following code below to my index.php file.

我在开发离子混合移动应用程序时遇到了同样的问题。我将以下代码添加到我的 index.php 文件中。

header('Access-Control-Allow-Origin:*'); 
header('Access-Control-Allow-Headers:X-Request-With');

header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With');

I ended up creating this simple middleware class:

我最终创建了这个简单的中间件类：

<?php
class CorsMiddleware
{
private $router;

public function __construct(\Slim\Router $router)
{
    $this->router = $router;
}
/**
 * Cors middleware invokable class
 *
 * @param  \Psr\Http\Message\ServerRequestInterface $request  PSR7 request
 * @param  \Psr\Http\Message\ResponseInterface      $response PSR7 response
 * @param  callable                                 $next     Next middleware
 *
 * @return \Psr\Http\Message\ResponseInterface
 */
public function __invoke($request, $response, $next)
{
    // https://www.html5rocks.com/static/images/cors_server_flowchart.png
    if ($request->isOptions()
          && $request->hasHeader('Origin')
          && $request->hasHeader('Access-Control-Request-Method')) {
        return $response
                      ->withHeader('Access-Control-Allow-Origin', '*')
                      ->withHeader('Access-Control-Allow-Headers', '*')
                      ->withHeader("Access-Control-Allow-Methods", '*');
    } else {
        $response = $response
                      ->withHeader('Access-Control-Allow-Origin', '*')
                      ->withHeader('Access-Control-Expose-Headers', '*');
        return $next($request, $response);
    }
}
}

I use it like this (it's a string because of dependency-injection):

我像这样使用它（由于依赖注入，它是一个字符串）：

$app->add('CorsMiddleware');

$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']looks wrong. That a valid _SERVER variable? You mean just REQUEST_METHOD?

$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']看起来不对。那是一个有效的 _SERVER 变量吗？你是说只是REQUEST_METHOD？

Is the ORIGIN header in fact actually sent? Trust the error message.

ORIGIN 标头实际上是否实际发送？相信错误消息。

Can you use something like WireShark or at least step through your code somehow? Even echo/log calls to make sure your logic is working as expected.

你可以使用像 WireShark 这样的东西，或者至少以某种方式单步执行你的代码吗？甚至 echo/log 调用以确保您的逻辑按预期工作。

I had the same problem, but at the end I achieved to get it working

我遇到了同样的问题，但最后我实现了让它工作

I am using cors-middleware https://github.com/tuupola/cors-middleware

我正在使用 cors-middleware https://github.com/tuupola/cors-middleware

These are my settings:

这些是我的设置：

$app->add(new \Tuupola\Middleware\Cors([
    "origin" => ["*"],
    "methods" => ["GET", "POST", "PUT", "PATCH", "DELETE"],
    "headers.allow" => ["Accept", "Content-Type"],
    "headers.expose" => [],
    "credentials" => false,
    "cache" => 0,
    "logger" => $container['logger']
]));

Pay attention to the headers.allowkey. If you try using "*"it will fail. You must enumerate at least these two headers as allowed.

注意headers.allow关键。如果您尝试使用"*"它将失败。您必须至少枚举这两个标头作为允许。

Follow the instructions on the lazy CORS in the following link...this worked for me...

按照以下链接中有关懒惰 CORS 的说明进行操作...这对我有用...

to be exact I made a cors.php file to serperate the routes you handle for cores and pasted all the code in the file.

确切地说，我制作了一个 cors.php 文件来处理您为内核处理的路由，并将所有代码粘贴到文件中。

http://www.slimframework.com/docs/v3/cookbook/enable-cors.html

http://www.slimframework.com/docs/v3/cookbook/enable-cors.html

UPDATE

更新

Since I faced this problem from my internal server where I had two web servers running for my back-end API and the other on Angular CLI the solution is in that context.

由于我在内部服务器上遇到了这个问题，其中我有两个 Web 服务器为我的后端 API 运行，另一个在 Angular CLI 上运行，因此解决方案就是在这种情况下。

CORS operates by checking if the request url is valid by sending a preflight request using OPTIONS method, the problem is that your restful API router is not configured to handle that request so it gives a NOT_FOUND response. So what you do is add the routing for all OPTIONS requests as a simple solution, though you can be more specific.

CORS 通过使用 OPTIONS 方法发送预检请求来检查请求 url 是否有效，问题是您的 Restful API 路由器未配置为处理该请求，因此它给出了 NOT_FOUND 响应。因此，您要做的是为所有 OPTIONS 请求添加路由作为一个简单的解决方案，尽管您可以更具体。

To be nice and tidey, create a cors.php file where you will put the routes for your cors routes and add this code in it

为了美观大方，创建一个 cors.php 文件，您将在其中放置 cors 路由的路由并在其中添加此代码

<?php
//  Handling CORS with a simple lazy CORS
$app->options('/{routes:.+}', function ($request, $response, $args) {
    return $response;
});
$app->add(function ($req, $res, $next) {
    $response = $next($req, $res);
    return $response
        ->withHeader('Access-Control-Allow-Origin', 'http://localhost:4200')
        ->withHeader('Access-Control-Allow-Headers', 'X-Requested-With, Content-Type, Accept, Origin, Authorization')
        ->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, PATCH, OPTIONS');
});

// Catch-all route to serve a 404 Not Found page if none of the routes match
// NOTE: make sure this route is defined last
$app->map(['GET', 'POST', 'PUT', 'DELETE', 'PATCH'], '/{routes:.+}', function($req, $res) {
    // handle using the default Slim 
    $handler = $this->notFoundHandler;
    //page not found handler
    return $handler($req, $res);
});

Basically what this is saying is, for all options requests on all routes, just return a response without handling it. What's important here is the middleware which executes after returning the response, it sets the response headers that will tell your browser that it's OK to send the real request.

基本上这就是说，对于所有路由上的所有选项请求，只返回一个响应而不处理它。这里重要的是在返回响应后执行的中间件，它设置响应标头，告诉您的浏览器可以发送真正的请求。

Note: Make sure that the cors.php file falls as the last set of routes. Also don't put an asterix as your domain origin, it doesn't work either.

注意：确保 cors.php 文件属于最后一组路由。也不要将星号作为您的域来源，它也不起作用。