[英]Custom headers get added to Access-Control-Request-Headers
I am trying to add a custom header to my angular js GET request as below: 我正在尝试向我的有角js GET请求中添加自定义标头,如下所示:
$http({
method : 'GET',
url : s,
headers : {
"partnerId" : 221,
"partnerKey" : "heeHBcntCKZwVsQo"
}
})
But the issue is the headers are getting added to Access-Control-Request-Headers as below and I am getting 403 Forbidden response: 但是问题是标题被添加到如下所示的Access-Control-Request-Headers中,并且我收到403禁止响应:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0)
Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: GET
Access-Control-Request-Headers: partnerid,partnerkey
Origin: http://localhost:8080
DNT: 1
Connection: keep-alive
I also tried below changes but no luck 我也尝试了以下更改,但没有运气
return $http.get(s, {
headers : {
'partnerId' : 221,
'partnerKey': 'heeHBcntCKZwVsQo'
}
})
In other related answers in SO I saw that the header partnerId and partnerKey need to be enabled in server side. 在SO的其他相关答案中,我看到需要在服务器端启用标头partnerId和partnerKey。 But I am able to add these custom headers in POSTMAN client and other POST clients and able to get the expected response.
但是我能够在POSTMAN客户端和其他POST客户端中添加这些自定义标头,并能够获得预期的响应。 So I guess I am missing something.
所以我想我缺少了一些东西。 Can someone guide me in this.
有人可以在这方面指导我。 Thanks in advance
提前致谢
Edit: One more thing I noted is that partnerId is replaced as partnerid while passing in the request. 编辑:我注意到的另一件事是,在传递请求时,partnerId被替换为partnerid。 Not sure if that makes a difference.
不知道这是否有所作为。
If you add any headers to a scripted cross-origin request other than any CORS-safelisted request-headers , it triggers browsers to first do a CORS preflight request . 如果您向脚本化的跨域请求添加任何标头(而不是任何CORS安全列出的请求标头) ,则会触发浏览器首先执行CORS预检请求 。
There is no way to prevent users' browsers from doing that CORS preflight (though there are ways to get around it locally in your own browser when doing testing; for example, by using Postman). 没有办法阻止用户的浏览器进行CORS的预检(尽管在进行测试时,有多种方法可以在您自己的浏览器中本地解决该问题;例如,通过使用Postman)。
So for users to be able to use a Web app of yours that makes scripted cross-origin requests with custom headers, the server to which those cross-origin requests go needs to be CORS-aware. 因此,为了使用户能够使用您的Web应用程序(该Web应用程序使用自定义标头发出脚本化的跨域请求),这些跨域请求所到达的服务器必须支持CORS。
The reason Postman can make such requests without causing a preflight is, Postman's not a browser engine—it's an extension that's not restricted by the same-origin policy, so doesn't need CORS. Postman可以发出这样的请求而不会引起预检的原因是,Postman不是浏览器引擎,它是不受相同来源策略限制的扩展,因此不需要CORS。
Postman can basically do whatever curl
or other such tools can do, but just within a browser UI for convenience. Postman基本上可以执行
curl
或其他此类工具可以执行的任何操作,但是为了方便起见,仅在浏览器UI内。 It's otherwise bypassing normal Web-security features built into browsers. 否则,它将绕过浏览器内置的常规Web安全功能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.