jQuery Access-Control-Allow-Origin 标头不起作用 - 我做错了什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11933626/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Access-Control-Allow-Origin header not working - What am I doing wrong?
提问by scav
I am attempting to provide a response to the HTTP OPTIONS method with an Access-Control-Allow-Origin header copying the contents of the Origin header in the request.
我正在尝试使用 Access-Control-Allow-Origin 标头提供对 HTTP OPTIONS 方法的响应,该标头复制请求中 Origin 标头的内容。
This is apparently not working, for reasons I can't figure out.
这显然不起作用,原因我无法弄清楚。
tl;dr:response from OPTIONS says:
tl;dr:来自 OPTIONS 的回复说:
Access-Control-Allow-Origin: http://10.0.0.105:9294
subsequent GET has:
随后的 GET 有:
Origin:http://10.0.0.105:9294
Chrome says:
铬 说:
Origin http://10.0.0.105:9294 is not allowed by Access-Control-Allow-Origin
WTF not?
跆拳道不是吗?
More detail...
更多详情...
By looking in Chrome's developer tools window, the request headers are:
通过查看 Chrome 的开发人员工具窗口,请求标头是:
OPTIONS /user/kris HTTP/1.1
Host: 10.0.0.104:8080
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://10.0.0.105:9294
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.75 Safari/537.1
Access-Control-Request-Headers: origin, x-requested-with, content-type, accept
Accept: */*
Referer: http://10.0.0.105:9294/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The response headers are:
响应头是:
HTTP/1.0 200 OK
Date: Mon, 13 Aug 2012 11:23:45 GMT
Server: WSGIServer/0.1 Python/2.7.3
Content-Length: 0
Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD, OPTIONS
Access-Control-Max-Age: 10
Access-Control-Allow-Origin: http://10.0.0.105:9294
Access-Control-Allow-Headers: X-Requested-With, Authorization, X-Huzu-User, Content-Type, Accept
Content-Type: text/html; charset=UTF-8
After jQuery sends its OPTIONS request and gets the above response, 2 odd things happen. The OPTIONS response (which is a 200) shows up in the developer console as an error:
在 jQuery 发送其 OPTIONS 请求并获得上述响应后,发生了两件奇怪的事情。OPTIONS 响应(即 200)在开发人员控制台中显示为错误:
OPTIONS http://10.0.0.104:8080/user/kris 200 (OK)
After which a GET request is rejected. Error in the console:
之后 GET 请求被拒绝。控制台中的错误:
XMLHttpRequest cannot load http://10.0.0.104:8080/user/kris. Origin http://10.0.0.105:9294 is not allowed by Access-Control-Allow-Origin.
I can't see why not. What am I doing wrong?
我不明白为什么不。我究竟做错了什么?
回答by scav
OK, I think I've got it. It seems that proper handling of the pre-flight OPTIONS request is necessary, but NOT SUFFICIENTfor cross-site resource requests to work.
好的,我想我明白了。似乎有必要正确处理飞行前 OPTIONS 请求,但不足以使跨站点资源请求起作用。
After the OPTIONS request comes back with satisfactory headers, all responses to any subsequent requests to the same URL alsohave to have the necessary "Access-Control-Allow-Origin" header, otherwise the browser will swallow them, and they won't even show up in the debugger window.
在 OPTIONS 请求返回令人满意的标头后,对同一 URL 的任何后续请求的所有响应也必须具有必要的“Access-Control-Allow-Origin”标头,否则浏览器会吞下它们,甚至不会显示在调试器窗口中。
So it will look likethe browser cancelled the request because of some problem in the OPTIONS response, but actually, the browser is looking at the response headers from the real request and then rejecting them.
因此,看起来浏览器由于 OPTIONS 响应中的某些问题而取消了请求,但实际上,浏览器正在查看来自真实请求的响应标头,然后拒绝它们。
