堆栈内存溢出
  简体   繁体   English

仅当有标头时,Chrome中的CORS请求才会失败

[英]CORS request fails in Chrome only if has headers

 原文  2013-01-24 02:00:26       jquery/ ajax/ google-chrome/ http-headers/ cors

问题描述

I'm trying to send simple CORS request to external application server which uses session key for authorization. 我正在尝试向使用会话密钥进行授权的外部应用程序服务器发送简单的CORS请求。 

$.ajax({
    type: "GET",
    url: "https://192.168.1.72:8442/api/file/",
    headers: {"Authorization": "3238562439e44fcab4036a24a1e6b0fb"}
});

It works fine in Firefox 18, Opera 12.12 and Rekonq 2.0 (uses also WebKit) but doesn't work in Google Chrome (tried versions 21 and 24). 它在Firefox 18,Opera 12.12和Rekonq 2.0(也使用WebKit)中工作正常但在Google Chrome中无效(尝试过版本21和24)。 In Google Chrome it shows OPTIONS Resource failed to load in Network Inspector and application server doesn't get any request. 在Google Chrome中,它显示OPTIONS资源无法在Network Inspector中加载,并且应用程序服务器未收到任何请求。 I've tried jQuery 1.8.3 and 1.9.0. 我试过jQuery 1.8.3和1.9.0。 

Request URL:https://192.168.1.72:8442/api/file/
Request Headers
Access-Control-Request-Headers:accept, authorization, origin
Access-Control-Request-Method:GET
Cache-Control:no-cache
Origin:https://192.168.1.72:8480
Pragma:no-cache

If I remove headers from the request then I receive 401 also in Google Chrome and it's able to access the resource in case of authorization is disabled on application server. 如果我从请求中删除标题,那么我也会在Google Chrome中收到401,并且在应用服务器上禁用授权的情况下,它可以访问该资源。 It doesn't matter which headers are sent. 发送哪个标头无关紧要。 Only header I'm able to send is {"Content-Type": "plain/text"}. 我只能发送的标题是{“Content-Type”:“plain / text”}。 All other header names/values give an error in Google Chrome but work in all browsers I mentioned above. 所有其他标题名称/值都会在Google Chrome中出错,但可以在我上面提到的所有浏览器中使用。

Why Google Chrome doesn't handle headers in CORS request? 为什么Google Chrome无法处理CORS请求中的标头?

4 个解决方案

解决方案1
 16 已采纳  2013-01-27 19:51:15

这是Google Chrome中的一个错误: http//code.google.com/p/chromium/issues/detail ?id = 96007

解决方案2
 3  2013-01-27 17:20:40

I'm using self-signed certificate on my api server and that seems to be the issue. 我在我的api服务器上使用自签名证书,这似乎是个问题。 I found that if I start Google Chrome with --disable-web-security option, then CORS with request headers is working. 我发现如果我使用--disable-web-security选项启动Google Chrome,那么带有请求标头的CORS就可以了。 Without --disable-web-security I can send CORS requests to self-signed api server but can't add any headers (except Content-Type). 没有--disable-web-security我可以将CORS请求发送到自签名api服务器但不能添加任何头文件(Content-Type除外)。

解决方案3
 3  2013-06-15 15:46:26

I found that Access-Control-Allow-Headers: * should be set ONLY for "OPTIONS" request. 我发现只应为“OPTIONS”请求设置Access-Control-Allow-Headers:*。 If you return it for POST request then browser cancel the request (at least for chrome) 如果你将它返回POST请求,那么浏览器会取消请求(至少对于chrome)

The following PHP code works for me 以下PHP代码适用于我 

// Allow CORS
header("Access-Control-Allow-Origin: *");
header('Access-Control-Allow-Credentials: true');    
header("Access-Control-Allow-Methods: GET, POST, OPTIONS"); 

// Access-Control headers are received during OPTIONS requests
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
  header("Access-Control-Allow-Headers: *");
}

I found similar questions with some misleading response: - Server thread says that this is 2 years bug of chrome: Access-Control-Allow-Headers does not match with localhost. 我发现类似的问题有一些误导性的反应: - 服务器线程说这是2年的chrome错误:Access-Control-Allow-Headers与localhost不匹配。 It's wrong: I can use CORS to my local server with Post normally - Access-Control-Allow-Headers does accept wildcards. 这是错误的:我可以使用CORS到我的本地服务器,通常是Post - Access-Control-Allow-Headers接受通配符。 It's also wrong, wildcard works for me (I tested only with Chrome) 这也是错的,通配符适用于我(我只测试过Chrome)

This take me half day to figure out the issue. 我花了半天时间来弄清楚这个问题。

Happy coding 快乐的编码

解决方案4
 1  2013-01-25 10:04:25

Server side : The server should set the header "Access-Control-Allow-Credentials" and also set the allowed headers in "Access-Control-Allow-Headers". 服务器端 :服务器应设置标头“Access-Control-Allow-Credentials”,并在“Access-Control-Allow-Headers”中设置允许的标头。

Client side : You can set xhrFields in $.ajax() instead of explicitly passing Auth header. 客户端 :您可以在$ .ajax()中设置xhrFields,而不是显式传递Auth标头。 

xhrFields: {
    withCredentials: true 
}

More details here . 更多细节在这里

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用标头发送时,jQuery AJAX CORS请求失败 - jQuery AJAX CORS request fails when sent with headers AJAX 无法在 CORS 请求后在浏览器上设置 Cookie。 Set-Cookie 标头仅存在于 FireFox 中,不存在于 Chrome 中 - AJAX fails to set Cookies on browser after CORS request. Set-Cookie header is present only in FireFox, not in Chrome 尽管我的服务器启用了标头 - (Access-Control*),但 AJAX CORS 请求失败 - AJAX CORS request fails although my server enables headers - (Access-Control*) CORS 预检请求返回“403 Forbidden”; 后续请求然后只在 Chrome 中发送 - CORS preflight request returning "403 Forbidden"; subsequent request then only sending in Chrome 缺少使用CORS响应jQuery请求的标头 - Missing headers in response for jQuery request with CORS 无法使用jQuery读取CORS请求的响应头 - Cannot read response headers for CORS request with jQuery 向 ajax 请求添加标头失败 - Adding headers to ajax request fails 具有凭证的jQuery CORS仅在Chrome中有效 - jQuery CORS with credentials only works in Chrome chrome中的Ajax请求(仅在Chrome中) - Ajax Request in chrome(Only in Chrome) chrome上的jQuery Ajax请求失败 - Jquery ajax request fails on chrome
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM