jQuery 使用 IE11 的 CORS 请求
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20198696/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
CORS request with IE11
提问by Drew
I have a CORS (cross origin resource sharing) request coming from my login page to the application site, on a different URL. I have a simple page I ping to determine if a user is already logged in, and if so, redirects them. Otherwise I show a login page. I use jQuery.
我在不同的 URL 上有一个从我的登录页面到应用程序站点的 CORS(跨源资源共享)请求。我有一个简单的页面,我 ping 以确定用户是否已经登录,如果是,则重定向他们。否则我会显示一个登录页面。我使用 jQuery。
This works great in safari, chrome, firefox... and not IE (naturally). According to MS, IE 10 and later should support CORS requests with withCredentials
这在 safari、chrome、firefox 中非常有效......而不是 IE(自然)。根据 MS,IE 10 及更高版本应该支持带有 withCredentials 的 CORS 请求
I'm using jquery-2.0.3.min.js
我正在使用 jquery-2.0.3.min.js
Any ideas why this isn't working in IE11?
任何想法为什么这在 IE11 中不起作用?
EDIT: It appears as though it IS partially working, as it is now returning a value of {"id":false}. This happens every time, meaning that the server is never getting the credentials. I am also posting my is_logged_in page, I am using the code igniter framework.
编辑:看起来好像它在部分工作,因为它现在返回 {"id":false} 的值。每次都会发生这种情况,这意味着服务器永远不会获得凭据。我还发布了我的 is_logged_in 页面,我正在使用代码点火器框架。
EDIT: After enabling "Allow data sources across domains" under IE's security settings, I no longer receive any error messages.
编辑:在 IE 的安全设置下启用“允许跨域数据源”后,我不再收到任何错误消息。
The exact error I receive is:
我收到的确切错误是:
SEC7118: XMLHttpRequest for http://mysite.net/guest/is_logged_inrequired Cross Origin Resource Sharing (CORS).
SEC7118:http://mysite.net/guest/is_logged_in 的 XMLHttpRequest需要跨源资源共享 (CORS)。
$.ajax({
url: 'http://mysite.net/guest/is_logged_in',
type: 'POST',
crossDomain: true,
xhrFields: {
withCredentials: true
},
dataType: 'json',
success: function(data) {
if(data.id) {
window.location.replace("http://mysite.net");
}
}
});
and
和
public function is_logged_in()
{
$allowed = array(
'http://mysite.net',
'http://www.mysite.net',
'http://www.mysite.com',
);
$url = $_SERVER['HTTP_REFERER'];
$url = substr($url, 0, strpos($url, '/', 8));
if(isset($_SERVER['HTTP_ORIGIN']))
{
if(in_array($_SERVER['HTTP_ORIGIN'], $allowed))
{
$this->output->set_header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);
}
}
else
{
if(in_array($url, $allowed))
{
$this->output->set_header('Access-Control-Allow-Origin: ' . $url);
}
}
$this->output->set_header('Access-Control-Allow-Headers: X-Requested-With');
$this->output->set_header('Access-Control-Allow-Credentials: true');
$this->output->set_header("Access-Control-Expose-Headers: Access-Control-Allow-Origin");
//TODO: Try to detect if this is an ajax request, and disallow it if not.
$data = new stdClass();
$this->load->library("ion_auth");
if($this->ion_auth->logged_in())
{
$data->name = $this->ion_auth->user()->row()->first_name;
$data->id = $this->ion_auth->get_user_id();
} else {
$data->id = false;
}
$this->output->set_output(json_encode($data));
}
Thanks in advance
提前致谢
采纳答案by EricLaw
Changing the setting for "Access data sources across domains" to Enabled turns off cross-domain checks in IE and is horrifically unsafe. Instead, you need to ensure that the target 3rd-party resource sends a valid P3P policythat indicates that it's not doing horrible things to the user's privacy.
将“跨域访问数据源”的设置更改为“启用”会关闭 IE 中的跨域检查,并且非常不安全。相反,您需要确保目标 3rd-party 资源发送一个有效的 P3P 策略,表明它没有对用户的隐私做可怕的事情。
回答by Drew
Found the issue.
发现问题。
I had a similar problem (using CORS in general, not specifically GWT). It turned out that the browser settings were blocking third-party cookies (IE10 > Internet Options > Privacy > Advanced > Third Party Cookies > Accept). To solve the problem, I checked "Override automatic cookie handling", "Accept" (Third-party Cookies) and "Always allow session cookies."
我有一个类似的问题(一般使用 CORS,而不是专门使用 GWT)。结果发现浏览器设置阻止了第三方 cookie(IE10 > Internet 选项 > 隐私 > 高级 > 第三方 Cookie > 接受)。为了解决这个问题,我选中了“覆盖自动 cookie 处理”、“接受”(第三方 cookie)和“始终允许会话 cookie”。
Andrew answered this question here: CORS doesn't work with cookies in IE10
安德鲁在这里回答了这个问题:CORS 不适用于 IE10 中的 cookie
EDIT: (Now that I know what to search for) This question may yield some help too, if anyone else runs into this issue. Internet Explorer 10 is ignoring XMLHttpRequest 'xhr.withCredentials = true'
编辑:(现在我知道要搜索什么)如果其他人遇到这个问题,这个问题也可能会产生一些帮助。Internet Explorer 10 忽略 XMLHttpRequest 'xhr.withCredentials = true'
回答by RiZKiT
We had the problem that, except every other browser, the IE11 send Access-Control-Request-Headers: acceptwith the request, so "accept" had to be added to the allowedHeaders cors configuration, because it seems not to be part of the default spring cors configuration.
我们遇到的问题是,除了所有其他浏览器,IE11 都会Access-Control-Request-Headers: accept随请求一起发送,因此必须将“accept”添加到 allowedHeaders cors 配置中,因为它似乎不是默认 spring cors 配置的一部分。
回答by 3spot
IE10 requires the server return a valid P3P policy in addition to CORS headers for cross domain requests. Here is sample php code for returning a P3P header from the server.
除了跨域请求的 CORS 标头之外,IE10 还要求服务器返回有效的 P3P 策略。这是用于从服务器返回 P3P 标头的示例 php 代码。
$szOrigin = $_SERVER['HTTP_ORIGIN'];
if ($szOrigin != null)
{
header("Access-Control-Allow-Origin: $szOrigin");
header("Access-Control-Allow-Credentials: true");
header("P3P: CP=\"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI\"");
}
回答by Fadi
After a lot of digging i found that the page that i'm pinging using ajax is on the internet zone while my current page in on the intranet zone.
经过大量挖掘,我发现我使用 ajax ping 的页面位于 Internet 区域,而我当前的页面位于 Intranet 区域。
IE 11 has the "Protected Mode" enabled for internet sites and when this is enabled cookies are not being sent to the site that i'm pinging even if they belong to that domain.
IE 11 为 Internet 站点启用了“保护模式”,当启用此功能时,cookie 不会发送到我正在 ping 的站点,即使它们属于该域。
Adding the page to the trusted sites, or disabling "Protected Mode" solved the problem.
将页面添加到受信任的站点,或禁用“保护模式”解决了问题。
Note that this problem does not happen when both sites are in the internet zone even when "Protected Mode" is enabled.
请注意,即使启用了“保护模式”,当两个站点都在 Internet 区域中时,也不会发生此问题。
回答by dataplumber
I had similar problem and found that neither axios or jquery can be made to work with Internet Explorer and the preflight/CORS issue. Only good old XMLhttpRequest worked. Because in pure XMLhttpRequest we can do this:
我遇到了类似的问题,发现 axios 或 jquery 都无法与 Internet Explorer 和预检/CORS 问题一起使用。只有好的旧 XMLhttpRequest 有效。因为在纯 XMLhttpRequest 中我们可以这样做:
if (xhttp.readyState == 4 && xhttp.status == 200)
It seems that axios and jquery take into account the status and not the readyState - they somehow interpret that there is a cors problem - and it takes a few ticks to reach readyState == 4 in IE.
似乎 axios 和 jquery 考虑了状态而不是 readyState - 他们以某种方式解释存在 cors 问题 - 在 IE 中达到 readyState == 4 需要一些滴答声。
