jQuery Dropzone 的 CORS 问题并上传到 Imgur
我尝试使用 jQuery Dropzone 将图像上传到 Imgur 或任何其他域,但这不起作用.
I tried to use jQuery Dropzone to upload an image to Imgur or any other domain but that's not working.
success: -> console.log arguments
paramName: "image"
method: "post"
maxFilesize: 2
url: "https://api.imgur.com/3/upload"
Authorization: "Client-ID *************"
This doesn't work. It says that return code is 0. The request headers:
Host: api.imgur.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Origin: http://my.opencubes.io
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization,cache-control,x-requested-with
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
首先你可以看到cient id没有出现:(.但最大的问题是使用的方法是OPTIONS
First as you can see the cient id doesn't appear :(. But the big problem is that the method used is OPTIONS
. The response headers:
当我尝试将文件上传到我的另一个域时遇到同样的问题(dropzone 位于子域中)
Une demande multi-origines (Cross-Origin Request) a été bloquée : la politique « Same Origin » ne permet pas de consulter la ressource distante située sur https://api.imgur.com/3/upload. Ceci peut être corrigé en déplaçant la ressource sur le même domaine ou en activant CORS.
多源请求被阻止:同源"策略不允许查看位于 https://api.imgur.com/3/upload.这可以通过移动 samin 域上的资源或启用 CORS 来解决.
A multi-origin request was blocked: the policy "Same origin" does not allow to see remote resource located in https://api.imgur.com/3/upload. this an be fixed by moving the resource on the samin domain or by enabling CORS.
OPTIONS 请求是一个普通请求:用于请求与 CORS 限制相关的权限.查看此页面了解如何CORS 在后台工作.
The OPTIONS request is a normal request: this is used to ask for permissions relative to CORS restrictions. Have a look to this page to understand how CORS work under the hood.
在您的情况下,这是一个纯粹的 CORS 相关问题.OPTIONS 请求包含此标头:
In your case, this is a pure CORS related issue. The OPTIONS request contains this header:
Access-Control-Request-Headers: authorization,cache-control,x-requested-with
Which means: can I use "authorization", "cache-control" and "x-requested-with" headers in my cross-domain AJAX request ?
Access-Control-Allow-Headers :"Authorization, Content-Type, Accept, X-Mashape-Authorization"
Which means: you're allowed to use those headers only: "Authorization", "Content-Type", "Accept", and "X-Mashape-Authorization".
As you can see, "cache-control" and "x-requested-with" are not listed in the allowed list, causing the browser to reject the request.
我来到了 2 个显示这种行为的测试代码示例:
I've come to 2 test code sample which show this behavior:
var data = new FormData();
data.append('image', 'http://placehold.it/300x500');
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://api.imgur.com/3/upload', true);
xhr.setRequestHeader('Authorization', 'Client-ID xxxxxxxxxx');
以下是运行此代码时发送的预检请求标头(如 Firefox 30 devtools 所示,我已删除不相关的标头,例如 User-Agent、Accept ...):
Here are the preflight request's headers sent when running this code (as shown by Firefox 30 devtools, and I've removed unrelated headers such as User-Agent, Accept ...):
- 选项 https://api.imgur.com/3/upload李>
- 主机:api.imgur.com
- 来源:http://local.host:8080
- 访问控制请求方法:POST
- Access-Control-Request-Headers:授权
- 缓存控制:无缓存
- 访问控制允许来源:*"
- Access-Control-Allow-Methods :"GET, PUT, POST, DELETE, OPTIONS"
- Access-Control-Allow-Headers :"授权、Content-Type、Accept、X-Mashape-Authorization"
- access-control-allow-origin :"*"
- Access-Control-Allow-Methods :"GET, PUT, POST, DELETE, OPTIONS"
- Access-Control-Allow-Headers :"Authorization, Content-Type, Accept, X-Mashape-Authorization"
Here, we can see that we prompt access to the "authorization" header, and the server is accepting this header, allong with the POST method and any origin URL, so the CORS requirements are satisfied and the request is allowed by the browser.
var data = new FormData();
data.append('image', 'http://placehold.it/300x500');
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://api.imgur.com/3/upload', true);
xhr.setRequestHeader('Authorization', 'Client-ID xxxxxxxxxx');
// the only difference with the previous code is this line
xhr.setRequestHeader('Cache-Control', 'no-cache');
- 选项https://api.imgur.com/3/upload
- 主机:api.imgur.com
- 来源:http://local.host:8080
- 访问控制请求方法:POST
- Access-Control-Request-Headers:授权、缓存控制
- 缓存控制:无缓存
预检响应的标头(与示例 1 相同):
Preflight response's headers (which is the same as in example 1):
- 访问控制允许来源:*"
- Access-Control-Allow-Headers :"Authorization, Content-Type, Accept, X-Mashape-Authorization"
Here, the "Access-Control-Request-Headers" header prompt access for "cache-control", which the server does not provide, so the CORS requirements are not satisfied and the request is rejected by the browser.
这里有一个 JSFiddle 引用不同的工作和不工作的演示来解决你的问题:http://jsfiddle.net/pomeh/Lfajnebh/一个>.注意细节以了解发生了什么,评论很少,但他们在这里强调代码中最棘手的部分.
Here's a JSFiddle referencing different working and not working demos for your problem: http://jsfiddle.net/pomeh/Lfajnebh/. Pay attention to details to understand what's going on, there is few comments but they are here to emphasis trickiest parts of the code.
作为奖励,我已向 DropZone 的 GitHub 存储库发送了一个拉取请求以解决此问题(https://github.com/enyo/dropzone/pull/685),它允许您通过 DropZone 删除预定义的标题.试试看:
As a bonus, I've sent a pull request to DropZone's GitHub repository to fix this problem (https://github.com/enyo/dropzone/pull/685) which allows you to remove pref-defined headers by DropZone. Give it a try:
var myDropzone = new Dropzone('.dropzone', {
headers: {
'Authorization': authorizationHeader,
// remove Cache-Control and X-Requested-With
// to be sent along with the request
'Cache-Control': null,
'X-Requested-With': null
The code above should work with my patched version (https://github.com/pomeh/dropzone/commit/f0063db6e5697888582421865840258dec1ffdc1), whereas the code above should not:
var myDropzone = new Dropzone('.dropzone', {
headers: {
'Authorization': authorizationHeader,
// remove Cache-Control and X-Requested-With
// to be sent along with the request