Javascript “请求头字段授权不允许”错误 - Tastypie
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10548883/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
'Request header field Authorization is not allowed' error - Tastypie
提问by egidra
I am getting the following error while using ApiKeyAuthentication for my Tastypie resources when I try to do an HTTP request using AJAX and Tastypie:
当我尝试使用 AJAX 和 Tastypie 执行 HTTP 请求时,将 ApiKeyAuthentication 用于我的 Tastypie 资源时出现以下错误:
XMLHttpRequest cannot load http://domain.com/api/v1/item/?format=json&username=popo&api_key=b83d21e2f8bd4952a53d0ce12a2314c0ffa031b1. Request header field Authorization is not allowed by Access-Control-Allow-Headers.
Any ideas on how to solve this?
关于如何解决这个问题的任何想法?
Here are the request headers from Chrome:
以下是来自 Chrome 的请求标头:
Request Headersview source
Accept:*/*
Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:
origin, authorization, access-control-allow-origin, accept, access-control-allow-headers
Access-Control-Request-Method:
GET
Here are the response headers from Chrome:
以下是来自 Chrome 的响应标头:
Response Headersview source
Access-Control-Allow-Headers:
Origin,Content-Type,Accept,Authorization
Access-Control-Allow-Methods:
POST,GET,OPTIONS,PUT,DELETE
Access-Control-Allow-Origin:*
Connection:keep-alive
Content-Length:0
Content-Type:
text/html; charset=utf-8
Date:Fri, 11 May 2012 21:38:35 GMT
Server:nginx
As you can see, they both have headers for Authorization, yet authorization does not work.
如您所见,它们都有用于授权的标头,但授权不起作用。
Here is the django middleware that I am using to edit the response headers: https://gist.github.com/1164697
这是我用来编辑响应标头的 django 中间件:https: //gist.github.com/1164697
Edit: I figured out the problem. I was trying to connect to www.domain.com, and it only accepts domain.com
编辑:我想出了问题。我试图连接到 www.domain.com,它只接受 domain.com
采纳答案by antyrat
This happens because of Same origin policy.
这是因为同源策略。
You need to make AJAX call from same domain where request goes. Or make server-side changes, allowing requests from external domains.
您需要从请求所在的同一域进行 AJAX 调用。或者进行服务器端更改,允许来自外部域的请求。
To resolve this you need to make changes in headers at http://domain.comby allowing your external domain in headers:
要解决此问题,您需要通过在标头中允许外部域来更改http://domain.com的标头:
Access-Control-Allow-Origin: *
Read more
阅读更多
回答by Manuel Bitto
Antyrat's answer is not complete.
Antyrat 的回答并不完整。
You have to specify which headers your server allows; in your case Authorization.
您必须指定您的服务器允许哪些标头;在你的情况下授权。
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Authorization
回答by Yair Zaslavsky
Although I upvoted the answer of @Manuel Bitto,
I would like to post another answer which contains a complete Cors Filter that works for me with Apache tomcat 5.x:
尽管我赞成@Manuel Bitto 的答案,但
我想发布另一个答案,其中包含适用于 Apache tomcat 5.x 的完整 Cors 过滤器:
public class CorsFilter implements Filter {
public CorsFilter() { }
public void init(FilterConfig fConfig) throws ServletException { }
public void destroy() { }
public void doFilter(
ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletResponse httpServletResponse = (HttpServletResponse)response;
httpServletResponse.addHeader("Access-Control-Allow-Origin", "*");
httpServletResponse.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, OPTIONS, DELETE");
httpServletResponse.addHeader("Access-Control-Allow-Headers", "Authorization");
chain.doFilter(request, response);
}
}
I would suggest to specifically pay attention to the addition of OPTIONS to to the "Access-Control-Allow-Methods" header values.
The reason for doing that is that according to the explanation provided hereby Mozilla,
if your request (let's say POST) contains a special header, or content type (and this is my case), then the XMLHttpRequest object will generate an additional OPTIONS call, which you need to address in your code.
I hope this helps.
我建议特别注意将 OPTIONS 添加到“Access-Control-Allow-Methods”标头值中。
这样做的原因是,根据Mozilla在此处提供的解释,
如果您的请求(比方说 POST)包含一个特殊的标头或内容类型(这是我的情况),那么 XMLHttpRequest 对象将生成一个额外的 OPTIONS 调用,您需要在代码中解决这个问题。
我希望这有帮助。
回答by C For Code
I know this question is older.
我知道这个问题比较老了。
But today I ran into same cors issue after adding owin. After number of search on google and trying various solutions. I solved cors issue by adding below
但是今天我在添加 owin 后遇到了同样的 cors 问题。在谷歌搜索并尝试各种解决方案之后。我通过在下面添加解决了 cors 问题
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
For more details please follow the below links. Thanks.
欲了解更多详情,请点击以下链接。谢谢。
回答by egidra
The problem was that www.domain.com was seen as different than domain.com. domain.com worked, but when I used www.domain.com, it detected me as doing requests from a different domain
问题是 www.domain.com 被视为与 domain.com 不同。domain.com 有效,但是当我使用 www.domain.com 时,它检测到我正在执行来自不同域的请求
