拒绝设置不安全的标头“Origin"使用谷歌浏览器的 xmlHttpRequest 时

收到此错误消息:拒绝设置不安全的标头Origin"

使用此代码:

   function getResponse() {
            document.getElementById("_receivedMsgLabel").innerHTML += "getResponse() called.<br/>";
            if (receiveReq.readyState == 4 || receiveReq.readyState == 0) {
                receiveReq.open("GET", "http://L45723:1802", true, "server", "server123");  //must use L45723:1802 at work.
                receiveReq.onreadystatechange = handleReceiveMessage;
                receiveReq.setRequestHeader("Origin", "http://localhost/");
                receiveReq.setRequestHeader("Access-Control-Request-Origin", "http://localhost");
                receiveReq.timeout = 0;
                var currentDate = new Date();
                var sendMessage = JSON.stringify({
                    SendTimestamp: currentDate,
                    Message: "Message 1",
                    Browser: navigator.appName
                });
                receiveReq.send(sendMessage);

            }
        }

我做错了什么?为了使这个 CORS 请求正常工作，我在标头中遗漏了什么?

What am I doing wrong? What am I missing in the header to make this CORS request work?

我尝试删除 receiveReq.setRequestHeader("Origin", ...) 调用，但 Google Chrome 在我的 receiveReq.open() 调用中引发访问错误...

I tried removing the receiveReq.setRequestHeader("Origin", ...) call but then Google Chrome throws an access error on my receiveReq.open() call...

为什么?

推荐答案

这只是一个猜测，因为我使用 jquery 处理 ajax 请求，包括 CORS.

This is just a guess, as I use jquery for ajax requests, including CORS.

我认为浏览器应该设置标题，而不是你.如果您能够设置标题，那将破坏安全功能的目的.

I think the browser is supposed to set the header, not you. If you were able to set the header, that would defeat the purpose of the security feature.

在不设置这些标头的情况下尝试请求，看看浏览器是否为您设置了它们.

Try the request without setting those headers and see if the browser sets them for you.