预检中带有 http 401 的 Ajax CORS 请求
我现在挣扎了好几个小时.我想向另一个域发出一个简单的 ajax 请求,但总是得到 http 401 错误:
I am struggling for hours now. I want to make a simple ajax request to another domain, but get http 401 Error all the time:
jQuery(document).ready(function($){
var challengeid = $('#codepressHook').data('challengeid');
var clicked = false;
$('#codepressHook').click(function(){
if(!clicked){
$.ajax({
url: "https://dev.radbonus.com/admin/affiliate-connections/retrieveSingle/"+challengeid+".json",
method: "GET",
dataType: "json",
jsonp: false,
contentType: "application/json",
xhrFields: {
withCredentials: true
},
beforeSend: function(xhr){
xhr.setRequestHeader("Authorization", "Basic "+ btoa(username+":"+password));
},
success: function(data){
$('#codepressHock').html(data.data.code);
},
error: function(error){
alert(error);
}
});
}
});
});
我在服务器端设置了所有相关的 CORS 标头.这是网络流量:
I set all relevant CORS headers on the serverside. Here is the network traffic:
Request URL:https://dev.radbonus.com/admin/affiliate-connections/retrieveSingle/45.json
Request Method:OPTIONS
Status Code:401 Unauthorized
Remote Address:185.102.94.230:443
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Content-Type, X-Requested-With, Authorization, Origin
Access-Control-Allow-Methods:POST, GET, PUT, DELETE, OPTIONS
Access-Control-Allow-Origin:http://radbonus.com
Access-Control-Max-Age:31536000
Content-Length:463
Content-Type:text/html; charset=iso-8859-1
Date:Sat, 24 Jun 2017 11:25:33 GMT
Server:Apache/2.4.18 (Ubuntu)
WWW-Authenticate:Basic realm="Admin"
Request Headers
view source
Accept:*/*
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4
Access-Control-Request-Headers:authorization,content-type
Access-Control-Request-Method:GET
Connection:keep-alive
Host:dev.radbonus.com
Origin:http://radbonus.com
Referer:http://radbonus.com/plugintest/
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
我知道有很多关于这个主题的帖子,但似乎我缺少一些简单的东西.谁能帮帮我?
I know that there are a lot of posts on this topic, but it seems I'm missing something simple. Could anyone help me?
推荐答案
UPDATE 看来我说的不对.Authorization
标头永远不会为 OPTIONS
请求发送.请参阅 sideshowbarker
的评论 - 您需要确保您的服务器不会以 401
响应 OPTIONS
请求.
UPDATE Looks like I was not right. Authorization
header is never sent for OPTIONS
request. Please see comment by sideshowbarker
- you need to make sure that your server doesn't respond with 401
to OPTIONS
request.
我不知道你的服务器是用什么语言编写的,但是你以错误的方式实现了授权 - OPTIONS 方法应该从 auth 中排除.另请参阅此处 - OPTIONS 请求身份验证
I don't know what language is your server written in, but you implemented authorization in the wrong way - OPTIONS method should be excluded from auth. Also see here - OPTIONS request authentication
以下是过时的答案:
您的服务器端需要对该请求进行 HTTP 基本身份验证.而且您不提供凭据.401错误与CORS无关;这只是意味着服务器选择不授权您的请求,因为您没有提供身份验证凭据.
Your serverside requires HTTP Basic authentication for this request. And you don't provide credentials. 401 error has nothing to do with CORS; it just means that the server chose to not authorize your request because you didn't provide auth credentials.
如果您尝试打开此网址(如 https://dev.radbonus.com/admin/affiliate-connections/retrieveSingle/1.json) 直接在浏览器中,您将被要求输入登录名和密码,这是浏览器使用 WWW-Authenticate 处理 401 错误的方式
标题.
If you try to open this url (like https://dev.radbonus.com/admin/affiliate-connections/retrieveSingle/1.json) directly in browser, you will be asked to enter login&password, which is how the browser handles 401 error with WWW-Authenticate
header.
请注意 Authorization
标头实际上并未包含在您的请求中.所以不要使用 beforeSend
钩子,你应该直接在你的调用中包含标题:
Please notice that Authorization
header is actually not included with your request.
So instead of using beforeSend
hook, you should probably just include header directly in your call:
headers: {
'Authorization': 'Basic ' + btoa(username+':'+password),
},
并确保 Authorization
标头出现在您的请求中.
And make sure that Authorization
header presents in your request.
相关文章