[英]CORS policy block a javascript request (POST on API route) in Laravel
I got a message from chrome console when I'm trying to make a request in javascript:当我尝试在 javascript 中发出请求时,我收到了来自 chrome 控制台的消息:
Access to XMLHttpRequest at 'https://SITE_B'
from origin 'https://SITE_A' has been blocked by
CORS policy: Request header field x-csrf-token is not
allowed by Access-Control-Allow-Headers in preflight response.
So, SITE_A is a laravel website with valid SSL certificate as well as SITE_B (a simple website).因此,SITE_A 是一个 laravel 网站,具有有效的 SSL 证书以及 SITE_B(一个简单的网站)。 I have the hand over the two websites.我有两个网站的交出。 My desire is to make a request in javascript from SITE_B to SITE_A in javascript using a POST request and the API system from Laravel.我的愿望是在 javascript 中使用 POST 请求和来自 ZA705C95B86829ED12EA 的 ZDE974238714CA8DE634A7CE1D083A14FZ 系统从 SITE_B 到 SITE_A 发出请求。
The idea works well without SSL protocol.这个想法在没有 SSL 协议的情况下运行良好。
I really don't understand the message.我真的不明白这个消息。
I put a '*' in 'allowedMethods' and 'allowedHeaders' in laravel config.我在 laravel 配置中的“allowedMethods”和“allowedHeaders”中添加了一个“*”。 And I also put it in the apache config file in the SITE_A server.我也把它放在 SITE_A 服务器的 apache 配置文件中。
What do I miss?我想念什么?
EDIT: Barry white extension config编辑:巴里白扩展配置
return [
/*
|--------------------------------------------------------------------------
| Laravel CORS
|--------------------------------------------------------------------------
|
| allowedOrigins, allowedHeaders and allowedMethods can be set to array('*')
| to accept any value.
|
*/
'supportsCredentials' => false,
'allowedOrigins' => ['*'],
'allowedOriginsPatterns' => [],
'allowedHeaders' => ['*'],
'allowedMethods' => ['GET', 'POST'],
'exposedHeaders' => [],
'maxAge' => 0,
];
Edit²:编辑²:
Utility.createRequest = function (method, url, params, callback, doNotReadResponse)
{
"use strict";
if ( Utility.debug )
{
if ( params )
{
console.log('[DEBUG] %s request\n%s?%s', method, url, params);
}
else
{
console.log('[DEBUG] %s request\n%s (No parameters)', method, url);
}
}
/* On crée la requête POST. */
const xhr = new XMLHttpRequest();
xhr.onreadystatechange = function (event) {
if ( event.currentTarget.readyState !== XMLHttpRequest.DONE )
{
return;
}
if ( event.currentTarget.status === 200 )
{
if ( Utility.debug )
{
console.log(event.currentTarget);
}
if ( !doNotReadResponse )
{
var response = JSON.parse(event.currentTarget.responseText);
/* Si on a un callback. */
if ( callback )
{
/* NOTE: on vérifie que notre serveur ne renvoit aucune erreur de traîtement. */
callback(response.ErrorCode === 0, response.Message, response);
}
}
else if ( callback )
{
callback(true, "Server responded !", event.currentTarget.response);
}
}
else
{
if ( callback )
{
callback(false, 'HTTP CODE ' + event.currentTarget.status + ' : "' + event.currentTarget.statusText + '".', event.currentTarget.responseText);
}
else
{
console.error('HTTP CODE %d : "%s".', event.currentTarget.status, event.currentTarget.statusText);
}
console.error(event.currentTarget.responseText);
}
};
var csrf = Utility.getMeta('csrf-token');
if ( csrf.length <= 0 )
{
console.error('Unable to find "X-CSRF-TOKEN" in the web page !');
return false;
}
if ( Utility.debug )
{
console.log("Using 'X-CSRF-TOKEN:%s'.", csrf);
}
switch ( method.toLowerCase() )
{
case 'post' :
xhr.open('POST', url, true);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.setRequestHeader('X-CSRF-TOKEN', csrf);
xhr.setRequestHeader('Accept', 'application/json');
xhr.setRequestHeader('Authorization', 'Bearer ' + Utility.userToken);
/* DEBUG: Remove */
//xhr.send(params);
xhr.send((params ? params + '&' : '') + 'referer_override=1');
break;
case 'get' :
xhr.open('GET', url + ( params ? '?' + params : '' ), true);
xhr.setRequestHeader('X-CSRF-TOKEN', csrf);
xhr.setRequestHeader('Accept', 'application/json');
xhr.setRequestHeader('Authorization', 'Bearer ' + Utility.userToken);
xhr.send();
break;
default:
return false;
}
return true;
};
'allowedHeaders' => ['*'],
In this line you need to write headers which you allow, now a '*'在这一行中,您需要编写允许的标题,现在是“*”
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.