使用 Laravel 4 的 CORS
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17539013/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
CORS with Laravel 4
提问by Umut Sirin
I am writing an API, and using Laravel 4 to achieve that. My api is at a different domain. lets assume that it is: http://api-example.com/
我正在编写一个 API,并使用 Laravel 4 来实现它。我的 api 在不同的域中。让我们假设它是:http://api-example.com/
And when i try to make ajax requests via Backbone to my api from my web-app (i.e mydomain.com) with basic authentication, it sometimes works just fine, but sometimes it doesn't. I am trying to figure out why. Below are my App::beforefilter and App::afterfilter.
当我尝试mydomain.com使用基本身份验证通过 Backbone 从我的网络应用程序(即)向我的 api 发出 ajax 请求时,它有时工作得很好,但有时却没有。我想弄清楚为什么。下面是我的App::before过滤器和App::after过滤器。
App::before(function($request)
{
if($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
$statusCode = 204;
$headers = [
'Access-Control-Allow-Origin' => 'http://mydomain.com',
'Allow' => 'GET, POST, OPTIONS',
'Access-Control-Allow-Headers' => 'Origin, Content-Type, Accept, Authorization, X-Requested-With',
'Access-Control-Allow-Credentials' => 'true'
];
return Response::make(null, $statusCode, $headers);
}
});
And my after filter:
而我的后过滤器:
App::after(function($request, $response)
{
$response->headers->set('Access-Control-Allow-Origin', 'http://mydomain.com');
$response->headers->set('Allow', 'GET, POST, OPTIONS');
$response->headers->set('Access-Control-Allow-Headers', 'Origin, Content-Type, Accept, Authorization, X-Requested-With');
$response->headers->set('Access-Control-Allow-Credentials', 'true');
return $response;
});
The thing is when i try to make a post request to /loginwith the credentials, API checks the db and gets the API key for the user. This is just working fine. But when i try to make a POST request to /userschrome just gives me following error:
问题是当我尝试/login使用凭据向其发出发布请求时,API 会检查数据库并获取用户的 API 密钥。这工作正常。但是,当我尝试向/userschrome 发出POST 请求时,只会出现以下错误:
XMLHttpRequest cannot load http://api-example.com/users. Origin http://mydomain.com is not allowed by Access-Control-Allow-Origin.
I tried everything, such as setting Access-Control-Allow-Originto '*'everything i could be able to find from internet. But nothing worked so far. I don't know what i should do.
我尝试了一切,例如设置Access-Control-Allow-Origin为'*'我可以从互联网上找到的所有内容。但到目前为止没有任何效果。我不知道我该怎么做。
回答by Dipu R
There is a mistake in the header name.
标题名称有误。
header('Allow', 'GET, POST, OPTIONS'); // This is wrong.
header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS'); // This is right.
回答by Phil Sturgeon
There is no point making a fancy response object and returning it, then letting the page process run as it'll obliterate your CORS headers and continue with the usual content.
没有必要创建一个花哨的响应对象并返回它,然后让页面进程运行,因为它会删除您的 CORS 标头并继续使用通常的内容。
App::before(function($request)
{
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
header('Access-Control-Allow-Origin', 'http://mydomain.com');
header('Allow', 'GET, POST, OPTIONS');
header('Access-Control-Allow-Headers', 'Origin, Content-Type, Accept, Authorization, X-Request-With');
header('Access-Control-Allow-Credentials', 'true');
exit;
}
});
回答by Tommy at LIW
Some browsers may deny this, because XSS scripts are doing nasty things in that way.
一些浏览器可能会否认这一点,因为 XSS 脚本正在以这种方式做令人讨厌的事情。
If you load your js file from http://api-example.com/might help, but there are more stable solutions:
如果您从http://api-example.com/加载您的 js 文件可能会有所帮助,但有更稳定的解决方案:
- You can use curl (or something similar) or
- You can use a proxy (Apache, Nginx, etc) for your AJAX request to load the response from the other host
- Or if you are useing a load balancer, or frontend cacheing stuff, you can create a rule...
- 您可以使用 curl (或类似的东西)或
- 您可以为 AJAX 请求使用代理(Apache、Nginx 等)来加载来自其他主机的响应
- 或者,如果您正在使用负载均衡器或前端缓存的东西,您可以创建一个规则...
It depends on your infrastructure and needs, but if performance matters, skip curl.
这取决于您的基础设施和需求,但如果性能很重要,请跳过 curl。
