Access-Control-Allow-Headers 不允许 Ajax 请求标头字段 Key
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26243364/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Ajax Request header field Key is not allowed by Access-Control-Allow-Headers
提问by NorianNyx
Trying to build a DNN Service Framework WebAPI but I'm having trouble consuming it with CORS. I have all of the appropriate headers (I think) but it still doesn't seem to be working.
尝试构建 DNN 服务框架 WebAPI,但我在使用 CORS 时遇到问题。我有所有合适的标题(我认为),但它似乎仍然不起作用。
Error:
错误:
XMLHttpRequest cannot load http://www.dnndev.me/mysite/builder/API/echo?message=Hello+World&_=1412707749275. Request header field Key is not allowed by Access-Control-Allow-Headers.
Request Headers:
请求头:
Remote Address: 127.0.0.1:80
URL: http://www.dnndev.me/mysite/builder/API/echo?message=Hello
Request Method: OPTIONS
Status Code: 200 OK
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Access-Control-Request-Headers: accept, key
Access-Control-Request-Method: GET
Connection: keep-alive
Host: www.dnndev.me
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
Response Headers:
响应头:
Access-Control-All-Headers: Origin, X-Requested-With, Content-Type, Accept, Key
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Cache-Control: no-cache
Content-Length: 13
Content-Type: application/json; charset=utf-8
Date: Tue, 07 Oct 2014 18:49:10 GMT
Expires: -1
Pragma: no-cache
Server: Microsoft-IIS/7.5
Generally, this error would be caused by not having the appropriate header in 'Access-Control-All-Headers'. However, I am sending the correct response to allow ajax to continue with its request. It simply refuses to.
通常,此错误是由于“Access-Control-All-Headers”中没有适当的标头引起的。但是,我正在发送正确的响应以允许 ajax 继续其请求。它只是拒绝。
Here is my ajax call to the method:
这是我对该方法的ajax调用:
$.ajax({
type: 'GET',
url: 'http://www.dnndev.me/mysite/builder/API/echo',
dataType: 'json',
data: { message: 'Hello' },
crossDomain: true,
headers: { 'Key': 'Bearer 7680ff6e-1362-4236-a9cd-c6bc8b6f13ea' },
success: function (result) { console.log(result); }
});
Probably obvious, but this only happens on cross domain requests and only when I include the custom header (therefore procing ajax to do an OPTIONS).
可能很明显,但这仅发生在跨域请求中,并且仅当我包含自定义标头时(因此处理 ajax 来执行 OPTIONS)。
回答by Darin Dimitrov
Your server responds with the following custom header to the preflight request:
您的服务器使用以下自定义标头响应预检请求:
Access-Control-All-Headers: Origin, X-Requested-With, Content-Type, Accept, Key
whereas if you (or the person who wrote this server) read carefully about CORS he should have responded with:
而如果您(或编写此服务器的人)仔细阅读了有关 CORS 的内容,他应该回复:
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Key
Now the client client could go ahead and use the Keycustom header.
现在客户端客户端可以继续使用Key自定义标头。
This being said, Beareris quite specific to OAuth 2 which is sent throughout the Authorizationheader. Using Keyseems like a terrible violation of RFCs and stuff and a wheel reinvention kinda.
话Bearer虽如此,这是非常特定于 OAuth 2 的,它在整个Authorization标头中发送。使用Key似乎是对 RFC 和其他东西的严重违反,并且有点像重新发明轮子。
回答by Zartag
Please note the typo in Nyx's question and Darin's answer ('ow' missing). So it's
请注意 Nyx 的问题和 Darin 的回答中的错字('ow' 缺失)。所以是
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Key
and it resolves the error message 'Request header field some-header-fieldis not allowed by Access-Control-Allow-Headers in preflight mode', if sent as an answer to the browser's OPTION request.
如果作为对浏览器 OPTION 请求的回答发送,它会解决错误消息“请求头字段some-header-fieldis not allowed by Access-Control-Allow-Headers in preflight mode”。
回答by Hasan
Add this to your server response headers :
将此添加到您的服务器响应标头:
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token , Authorization');
header('Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token , Authorization');
