【发布时间】:2015-08-27 01:55:21
【问题描述】:
与往常一样,我会尽量让我的问题甜美干净。
我必须将 CORS 作为需求请求发送,我正在通过 $.ajax 发送它,它看起来像这样:
$.ajaxSetup({
beforeSend: function (jqXHR, options) {
options.url = Utils.setUrlHostname(options.url);
options.xhrFields = {
withCredentials: true
};
jqXHR.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
}
});
在服务器端(php - zend 框架)我正在处理这样的标头:
public function OPTIONS_ProxyAction()
{
$this->getResponse()->setHeader('Access-Control-Allow-Methods', 'OPTIONS, GET, POST, PUT, DELETE');
$this->getResponse()->setHeader('Access-Control-Allow-Headers', 'Content-Type, x-requested-with');
$this->getResponse()->setHeader('Access-Control-Allow-Credentials', 'true');
$this->getResponse()->setBody(null);
$this->_helper->viewRenderer->setNoRender(true);
}
预检请求标头看起来不错,我得到了 200 OK:
请求标头:
Host: domain1111.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: https://domain2222.com
Access-Control-Request-Method: GET (this is seen as OPTIONS in network tab)
Access-Control-Request-Headers: x-requested-with
Connection: keep-alive
Cache-Control: max-age=0
和响应标头:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: X-Requested-With, Content-Type
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, DELETE
Access-Control-Allow-Origin: https://domain2222.com
Cache-Control: max-age=0, s-maxage=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: Keep-Alive
Content-Length: 0
Content-Type: text/html
Date: Thu, 11 Jun 2015 08:40:42 GMT
Etag: "d41d8cd98f00b204e9800998ecf8427e"
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=5, max=100
Pragma: no-cache
Server: Apache
Vary: X-CDN
X-Frame-Options: SAMEORIGIN
X-Ua-Compatible: IE=edge,chrome=1
我得到空响应,这很好,新请求被发送到同一个地址,但方法是 GET 而不是 OPTIONS,它看起来像这样:
请求标头:
Host: domain1111.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: https://domain2222.com/some/request
Origin: https://domain1111.com
Cookie: s1=533C36A9095C003A;
BGUID=some complicated guid here
Connection: keep-alive
Cache-Control: max-age=0
然后回应:
Access-Control-Allow-Origin: https://domain2222.com
Cache-Control: max-age=0, s-maxage=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: Keep-Alive
Content-Length: 3278
Content-Type: application/json
Date: Thu, 11 Jun 2015 08:40:43 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=5, max=99
Pragma: no-cache
Server: Apache
Vary: X-CDN
X-Frame-Options: SAMEORIGIN
问题是在发送真正的请求后,我进入了 Firefox:
跨域请求被阻止:同源策略不允许读取 https://domain1111.com/some/request 的远程资源。 (原因: 在 CORS 标头“Access-Control-Allow-Credentials”中预期为“true”)
在 Chrome 中也是如此:
XMLHttpRequest 无法加载 https://domain1111.com/some/request。 凭据标志为“真”,但“访问控制允许凭据” 标题是''。必须为“true”才能允许凭据。
当第二个 CORS 请求完成时会发生这些错误。 所以在发送第一个预检请求后,它返回 200 OK 和一个空响应,这很好;发送第二个请求后,我收到了上面列出的错误,没有返回数据。
此外,Firefox 中的“响应”选项卡给了我这样的信息:
SyntaxError: JSON.parse: unexpected end of data at line 1 column 1 on the JSON data
我不确定在第二次请求期间是否也发送了属性“withCredential”,并且服务器可能没有返回:
'Access-Control-Allow-Credentials', 'true'
为什么它只发生在 OPTIONS 请求中?
无论请求方法是什么,我都应该从服务器返回这些标头吗?或者也许ajaxSetup有问题?也许它不应该在第二个 CORS 请求中发送“withCredentials:true”?
更新:
已通过添加 Access-Control-Allow-Credentials 解决了该问题: true,对服务器返回的所有响应(PUT、GET、POST、DELETE、OPTIONS)
【问题讨论】:
标签: javascript jquery ajax zend-framework cors