jQuery “Access-Control-Allow-Origin”标头包含多个值
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/37594403/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
The 'Access-Control-Allow-Origin' header contains multiple values
提问by Alaa M. Jaddou
i'm trying to send get request to api like it's a login url
我正在尝试向 api 发送 get 请求,就像它是一个登录 url
var url = "http://demo.software.travel/gptp/api/authorization?apiKey=****&alias=****&login=****&password=****"
$.get(url, function(data) {
console.log(data);
});
i'm getting this in my console this error
我在控制台中收到此错误
XMLHttpRequest cannot load http://demo.software.travel/gptp/api/authorization?apiKey=****&alias=****&login=****&password=****. The 'Access-Control-Allow-Origin' header contains multiple values 'http://travellights.net, *', but only one is allowed. Origin 'http://travellights.net' is therefore not allowed access.
XMLHttpRequest 无法加载http://demo.software.travel/gptp/api/authorization?apiKey=****&alias=****&login=****&password=****。'Access-Control-Allow-Origin' 标头包含多个值 ' http://travellights.net, *',但只允许一个。Origin ' http://travellights.net' 因此不允许访问。
i'm trying to see questions here to solve it but i didn't get what i need to change, this is annoying actually.
我试图在这里看到问题来解决它,但我没有得到我需要改变的东西,这实际上很烦人。
The 'Access-Control-Allow-Origin' header contains multiple values
this solved by asp.net web.congif
“Access-Control-Allow-Origin”标头包含多个值
这由asp.net web.congif 解决
By the way i'm using CHROME BROWSERany help i appreciate.
顺便说一下,我正在使用CHROME BROWSER任何帮助,我很感激。
UPDATEresponse headers:
更新响应头:
Access-Control-Allow-Credentials:true
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:origin, x-requested-with, Content-Type, accept, Token
Access-Control-Allow-Methods:GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
Access-Control-Allow-Origin:http://travellights.net
Access-Control-Allow-Origin:*
Connection:close
Content-Encoding:gzip
Content-Type:application/json;charset=utf-8
Date:Thu, 02 Jun 2016 16:41:18 GMT
Server:nginx/1.1.19
Set-Cookie:JSESSIONID=51FEE1A1206B9B481DD3EEA4167A9256; Path=/gptp
Vary:Origin
Vary:Accept-Encoding
X-UA-Compatible:IE=EmulateIE7
Request Headers:
请求头:
Accept:application/json, text/javascript, */*; q=0.01
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8,ar;q=0.6,en-GB;q=0.4
Connection:keep-alive
Host:demo.software.travel
Origin:http://travellights.net
Referer:http://travellights.net/b2b/Pages/login?
User-Agent:Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
采纳答案by Bamieh
You are attempting to do Cross-origin resource sharing (CORS) which is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the resource originated. (such as accessing fonts or JSON files).
您正在尝试进行跨域资源共享 (CORS),这是一种机制,允许从资源来源域之外的另一个域请求网页上的受限资源。(例如访问字体或 JSON 文件)。
Browsers restrict your access to resources from other origins as of Same-origin policy as a security measure for internet users.
浏览器限制您访问来自其他来源的资源,作为互联网用户的安全措施。
To get around this issue you have to options:
要解决此问题,您必须选择:
- allow CORS on the domain http://demo.software.travel(but there is are security concerns, more description about it here: https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Cross_Origin_Resource_Sharing)
- 允许域http://demo.software.travel上的 CORS (但存在安全问题,有关它的更多说明:https: //www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Cross_Origin_Resource_Sharing)
Enable CORS on the server to be able to access other domains through. this can be done by adding the following headers to responses:
在服务器上启用 CORS 可以通过它访问其他域。这可以通过向响应添加以下标头来完成:
Access-Control-Allow-Origin: http://travellights.net
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: http://travellights.net
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
- if you are not granted resource sharing with that domain, you are allowed to use JSONP for read only operations (JSONP is inherently read-only)
- 如果您没有被授予与该域共享资源的权限,则您可以使用 JSONP 进行只读操作(JSONP 本质上是只读的)
JSONP wraps a JSON object in a callback, which technically makes the request a non-restricted resource (a script tag) hence can be shared across domains.
JSONP 将 JSON 对象包装在回调中,这在技术上使请求成为不受限制的资源(脚本标签),因此可以跨域共享。
it can be done via vanilla js by adding a script tag onto the page.
它可以通过 vanilla js 通过在页面上添加脚本标签来完成。
function process(data) {
// do stuff with JSON
}
var script = document.createElement('script');
script.src = '//domainURL?callback=process'
document.getElementsByTagName('head')[0].appendChild(script);
or you can use jquery to achieve the same:
或者您可以使用 jquery 来实现相同的目的:
$.ajax({enter code here
url: "http://query.yahooapis.com/v1/public/yql",
jsonp: "callback",
dataType: "jsonp",
data: {
q: "select title,abstract,url from search.news where query=\"cat\"",
format: "json"
},
success: function( response ) {
console.log( response ); // server response
}
});
jquery documentation: https://learn.jquery.com/ajax/working-with-jsonp/
jquery 文档:https: //learn.jquery.com/ajax/working-with-jsonp/
回答by Kamil Kie?czewski
If you set "Full" CORS(with OPTION pre-request) on in nginx by add 'access-control-allow-origin *' and independently you add that header (for Simple CORS- without OPTION pre-request) to each response in SERVER (eg. php):
如果您通过添加 'access-control-allow-origin *' 在 nginx 中设置“完整”CORS(带有 OPTION 预请求)并独立地将该标头(对于简单 CORS- 没有 OPTION 预请求)添加到每个响应中服务器(例如。php):
header('Access-Control-Allow-Origin', "*");
Then you will get this problem. Solution: remove code which add this header in server if already you add this header in your nginx config :)
那么你就会遇到这个问题。解决方案:如果您已经在 nginx 配置中添加了此标头,请删除在服务器中添加此标头的代码:)
I found this advice here
我在这里找到了这个建议
