jQuery AJAX 调用导致错误状态 403

2022-01-15 00:00:00 cors jquery ajax http-status-code-403

我正在使用 jQuery AJAX 对 Web 服务进行查询.我的查询如下所示:

I'm making a query to a web service using jQuery AJAX. My query looks like this:

var serviceEndpoint = 'http://example.com/object/details?version=1.1';
$.ajax({
  type: 'GET', 
  url: serviceEndpoint,
  dataType: 'jsonp',
  contentType: 'jsonp',
  headers: { 'api-key':'myKey' },
  success: onSuccess,
  error: onFailure
});

执行此操作时,我收到 403 状态错误.我不明白为什么我的调用会导致状态码为 403.我控制着我的服务的安全性,它被标记为完全开放.我知道密钥是有效的,因为我在另一个调用中使用它,它有效.这是有效的调用:

When I execute this, I get a status error of 403. I do not understand why my call results in having the status code 403. I'm in control of the security on my service and it is marked as wide-open. I know the key is valid, because I'm using it in another call, which works. Here is the call that works:

var endpoint = 'http://example.com/object/data/item?version=1.1';
$.ajax({ 
  type: 'POST', 
  url: endpoint, 
  cache: 'false',
  contentType:'application/json',
  headers: {
    'api-key':'myKey',
    'Content-Type':'application/json'
  },
  data: JSON.stringify({
    id: 5,
    count:true
  }),
  success: onDataSuccess,
  error: onDataFailure
});

我知道这是两个不同的端点.但我 100% 确信这不是服务器端身份验证或权限错误.再一次,服务器端的一切都是开放的.这意味着我在客户端请求上犯了一些错误.

I know these are two different endpoints. But I'm 100% convinced this is not a server-side authentication or permission error. Once again, everything is wide open on the server-side. Which implies that I'm making some mistake on my client-side request.

我觉得我应该传达这个请求是在开发过程中提出的.所以,我从 http://localhost:3000 运行它.出于这个原因,我立即认为这是一个 CORS 问题.但一切看起来都是正确的.我的 POST 请求有效,但我的 GET 并没有让我感到非常沮丧.我错过了什么吗?会是什么?

I feel I should communicate that this request is being made during development. So, I'm running this from http://localhost:3000. For that reason, I immediately assumed it was a CORS issue. But everything looks correct. The fact that my POST request works, but my GET doesn't has me absolutely frustrated. Am I missing something? What could it be?

推荐答案

403错误的原因是你没有发送headers.由于您正在发出 CORS 请求,因此您无法发送任何自定义标头,除非服务器通过在响应中添加 Access-Control-Allow-Headers 来启用这些标头.

The reason of 403 error is you are not sending headers. Since you are making a CORS request, you cannot send any custom headers unless server enables these header by adding Access-Control-Allow-Headers to the response.

在 preflighted-request 中,客户端向服务器发出 2 个请求.第一个是预检(使用 OPTIONS 方法),第二个是真正的请求.服务器发送 Access-Control-Allow-Headers 标头作为预检请求的响应.因此,它可以发送一些标头.通过这种方式,您的 POST 请求可以工作,因为 POST 请求是预检请求.但是对于 GET 请求,没有预检来收集 Access-Control-Allow-Headers 标头和浏览器在这种情况下不会发送您的自定义标头.

In a preflighted-request, client makes 2 requests to the server. First one is preflight (with OPTIONS method) and the second one is the real request. The server sends Access-Control-Allow-Headers header as a response of the preflight request. So it enables some headers to be sent. By this way your POST request can work because the POST request is a preflight-request. But for a GET request, there is no preflight to gather Access-Control-Allow-Headers header and browser doesn't send your custom headers in this case.

解决此问题的方法:

作为一种解决方法,将您的 dataTypecontentType 设置为 json,如下所示:

As a workaround, set your dataType and contentType to json as the following:

var serviceEndpoint = 'http://example.com/object/details?version=1.1';
$.ajax({
  type: 'GET', 
  url: serviceEndpoint,
  dataType: 'json',
  contentType: 'json',
  headers: { 'api-key':'myKey' },
  success: onSuccess,
  error: onFailure
});

通过这种方式,您的获取请求将是一个预检请求.如果您的服务器使用 api-key" rel="nofollow noreferrer">Access-Control-Allow-Headers 标头,它会起作用.

By this way, your get request will be a preflighted request. If your server enables the api-key with Access-Control-Allow-Headers header, it will work.

上述请求的示例服务器配置(用 express.js 编写):

Sample server configuration for the above request (written in express.js):

res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Methods', '*');
res.setHeader('Access-Control-Allow-Headers', 'api-key,content-type');
res.setHeader('Access-Control-Allow-Credentials', true);

添加:

实际上,contentType 应该是 application/javascriptapplication/json 在进行 jsonp 请求时.没有 contentType 作为 jsonp.

Actually, contentType should be either application/javascript or application/json while doing a jsonp request. There is no contentType as jsonp.

相关文章