使用 withCredentials 和客户端证书的 jQuery 的 CORS 请求失败
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19644015/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
CORS request failure with jQuery using withCredentials and client certificates
提问by mikew
I can't figure out why this CORS request is failing to return data.
我不明白为什么这个 CORS 请求无法返回数据。
I'm using Catalyst MVC on the backend, Firefox 24.0 as a browser. jQuery 1.9.1. Please note the following:
我在后端使用 Catalyst MVC,Firefox 24.0 作为浏览器。jQuery 1.9.1。请注意以下事项:
- otherdomain.com requires a client certificate.
- hitting the resource directly returns expected data. (https://otherdomain.com/resource/1) returns proper data.
- otherdomain.com 需要客户端证书。
- 命中资源直接返回预期数据。( https://otherdomain.com/resource/1) 返回正确的数据。
I have a simple page that tests the request:
我有一个简单的页面来测试请求:
<script type='text/javascript'>
function get_data() {
console.log("running");
$.ajax({
url: "https://otherdomain.com/resource/1",
dataType: 'json',
type: 'GET',
xhrFields: {
'withCredentials': true
},
crossDomain: true
}).success(function(data) {
console.log(data)
$('#output').html(data);
}).error(function(xhr, status, error) {
alert("error");
console.log(xhr);
});
}
$(document).ready(function() {
get_data();
});
</script>
</script>
Here are my request headers:
这是我的请求标头:
GET /resource/1 HTTP/1.1
Host: otherdomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://mydomain.com/test.html
Origin: https://mydomain.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Here are my response headers. (copy of view source from firebug console) I see on my catalyst debug output that the request is served as 200 OK and the content is sent.
这是我的响应标头。(从萤火虫控制台查看源代码的副本)我在催化剂调试输出中看到请求被用作 200 OK 并且内容被发送。
HTTP/1.1 200 OK
Date: Mon, 28 Oct 2013 19:31:08 GMT
Server: HTTP::Server::PSGI
Vary: Content-Type
Content-Length: 653
Content-Type: application/json
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1800
X-Catalyst: 5.90030
Via: 1.1 otherdomain.com
And the error is thrown from the ajax call:
错误是从 ajax 调用中抛出的:
readyState: 0
responseText: ""
status: 0
statusText: "error"
firebug shows the response body as empty from the request event though it's a 200 OK.
firebug 将请求事件中的响应正文显示为空,尽管它是 200 OK。
I thought that when using 'withCredentials' a pre-flight request was required but I don't see an OPTIONS being sent via firebug.
我认为在使用“withCredentials”时需要飞行前请求,但我没有看到通过 firebug 发送的 OPTIONS。
Also, i can see no Access-Control-Request-Headerbeing added by my request, so I'm not returning any Access-Control-Allow-Headersfrom the server.
此外,我可以看到Access-Control-Request-Header我的请求没有添加任何内容,所以我没有Access-Control-Allow-Headers从服务器返回任何内容。
Now, the frontend of Catalyst is Apache2, and I'm using proxypass in a virtual host to send the request to catalyst on localhost:8080. I'm not sure if that has any bearing but thought it might be important. It should be transparent to the browser though.
现在,Catalyst 的前端是 Apache2,我在虚拟主机中使用 proxypass 将请求发送到 localhost:8080 上的 Catalyst。我不确定这是否有任何影响,但我认为这可能很重要。不过,它应该对浏览器透明。
Thanks for any help!
谢谢你的帮助!
回答by LostInComputer
回答by Rob
I have a similar issue, where everything works fine in Chrome, but I get 405 for all cross-domain requests in Firefox (and similar problems with IE). I tried adding xhrFields, and the crossDomain flag. I am also using beforeSend to actually do an xhr.withCredentials = true. I made sure that I have hostname match on the service backend. I use the Access-Control-Allow-Credentials header.
我有一个类似的问题,在 Chrome 中一切正常,但我在 Firefox 中的所有跨域请求都得到了 405(以及 IE 的类似问题)。我尝试添加 xhrFields 和 crossDomain 标志。我也在使用 beforeSend 实际上做一个xhr.withCredentials = true. 我确保我在服务后端有主机名匹配。我使用 Access-Control-Allow-Credentials 标头。
The one thing that might be different... I only send these headers when the Origin header is present, because if I don't get Origin, my only response for Access-Control-Allow-Origin could be *because I would not know what the origin is.
可能不同的一件事......我只在 Origin 标头存在时发送这些标头,因为如果我没有得到 Origin,我对 Access-Control-Allow-Origin 的唯一响应可能是*因为我不知道是什么起源是。
