Javascript CORS - 不存在“Access-Control-Allow-Origin"标头
我一直在使用 CORS,遇到了以下问题.客户端抱怨没有 'Access-Control-Allow-Origin' 标头存在,而 它们存在,并且 客户端发出实际的 POST 请求 并且 收到 200强>.
I've been working with CORS and encountered the following issue. Client complains about no 'Access-Control-Allow-Origin' header is present, while they are present, and client make the actual POST request and receives 200.
function initializeXMLHttpRequest(url) { //the code that initialize the xhr
var xhr = new XMLHttpRequest();
xhr.open('POST', url, true);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-Type', 'application/json; charset=UTF-8');
//set headers
for (var key in headers) {
if (headers.hasOwnProperty(key)) { //filter out inherited properties
xhr.setRequestHeader(key,headers[key]);
}
}
return xhr;
}
在 Chrome 中
chrome 控制台日志
chrome console log
Chrome 选项请求
Chrome OPTIONS request
Chrome POST 请求
Chrome POST request
在火狐中
Firefox 控制台日志
Firefox Console Log
Firefox 选项请求
Firefox OPTIONS request
Firefox POST 请求
Firefox POST request
推荐答案
简而言之:访问控制标头(例如 Access-Control-Allow-Origin
)需要同时出现以响应 OPTIONS 和实际的POST.
In short: Access control headers (e.g. Access-Control-Allow-Origin
) need to present in response for both OPTIONS and actual POST.
工作流程:
Client 使用这些 HTTP 访问标头发出 OPTIONS 请求.(例如
Origin、Access-Control-Request-Method、Access-Control-Request-Headers
)
Client make OPTIONS request with those HTTP access headers. (e.g.
Origin, Access-Control-Request-Method, Access-Control-Request-Headers
)
服务器响应这些访问控制标头,允许访问.(例如 Access-Control-Allow-Origin、Access-Control-Expose-Headers、Access-Control-Max-Age、Access-Control-Allow-Credentials、Access-Control-Allow-Methods、Access-Control-Allow-标题
)
Server respond with those access control headers, allowing access. (e.g. Access-Control-Allow-Origin, Access-Control-Expose-Headers, Access-Control-Max-Age, Access-Control-Allow-Credentials, Access-Control-Allow-Methods, Access-Control-Allow-Headers
)
客户端使用数据发出 POST 请求.
Client makes POST request with data.
服务器响应 POST.如果服务器响应中不存在 Access-Control-Allow-Origin
标头.虽然 POST 成功并在 network 选项卡中显示 200 状态码,但 xhr.status
为 0 并且会触发 xhr.onerror
.浏览器会显示错误消息.
Server respond to POST. If Access-Control-Allow-Origin
header is NOT present in the server response. Although the POST is successful and shows 200 status code in network tab, xhr.status
is 0 and xhr.onerror
will be triggered. And browser would show up the error message.
标题参考:https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
相关文章