在 Slim 框架上的 CORS 期间预检授权 header
Preflight authorization header during CORS on Slim framework
现在我遇到了 CORS(cross-origin 资源共享)的问题,尤其是在尝试向 slim api 发送授权时。我已尝试删除 jquery 上的授权 header,效果非常好!但我需要授权才能通过 api 密钥,我不知道如何绕过预检模式(选项)。这是 javascript 代码。
$.ajax({
type:'GET',
url:baseApi+'/code/account',
crossDomain:true,
xhrFields:{
withCredentials:true
},
beforeSend:function(xhr){
$overlay.css('display','block');
xhr.setRequestHeader("Authorization",boot._header);
},
complete:function(xhr){
// complete scope
}
});
在 slim 框架上,我已将 Access-Control-Allow-Origin 设置为白名单源域 (www.example.com)。这是完整的配置
if (isset($_SERVER['HTTP_ORIGIN'])) {
if($_SERVER['HTTP_ORIGIN'] == "http://www.example.com"){
header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
}
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400'); // cache for 1 day
}
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
header("Access-Control-Allow-Headers: Authorization, authorization, Content-Type");
}
这里是完整的请求和响应headers
响应Headers
HTTP/1.1 404 Not Found
Date: Tue, 14 Feb 2017 14:44:34 GMT
Server: Apache/2.4.23 (Unix) OpenSSL/1.0.2h PHP/5.6.24 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.24
Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Authorization, authorization
Content-Length: 514
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
请求Headers
OPTIONS /code/account HTTP/1.1
Host: api.example.com
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Access-Control-Request-Headers: authorization
Referer: http://www.example.com/account/payout
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,id;q=0.6,ms;q=0.4
Accept: */*
我已经尝试过其他人可能的解决方案,但没有机会解决这个问题。总是显示 404 并调用了 OPTIONS 方法,而不是应该的 GET 方法。
经过研究和调查,我最终按照@Mika Tuupola 的建议为 Slim 使用了 CORS 中间件。但是因为我使用的是 Slim v2,所以这个 repo https://github.com/palanik/CorsSlim suitable for me. And if you are using Slim v3, use this repo https://github.com/tuupola/cors-middleware 是由我们的救星创建的。希望对您有所帮助!
对于 Slim Framework 2.4 版本,我做了一个小改动来处理 Preflight OPTIONS 请求
\Slim\Slim::registerAutoloader();
$app = new \Slim\Slim();
if($app->request->isOptions()) {
return true;
break;
}
$app->post('/authenticate', 'authenticateUser');
$app->run();
所以这将跟踪所有 OPTIONS 请求并且 return true 并且它对我有用。
我的 .htaccess 文件如下所示
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "X-Requested-With, Content-Type, Accept, Origin, Authorization"
Header add Access-Control-Allow-Methods "GET, POST, OPTIONS"
希望对您有所帮助。
现在我遇到了 CORS(cross-origin 资源共享)的问题,尤其是在尝试向 slim api 发送授权时。我已尝试删除 jquery 上的授权 header,效果非常好!但我需要授权才能通过 api 密钥,我不知道如何绕过预检模式(选项)。这是 javascript 代码。
$.ajax({
type:'GET',
url:baseApi+'/code/account',
crossDomain:true,
xhrFields:{
withCredentials:true
},
beforeSend:function(xhr){
$overlay.css('display','block');
xhr.setRequestHeader("Authorization",boot._header);
},
complete:function(xhr){
// complete scope
}
});
在 slim 框架上,我已将 Access-Control-Allow-Origin 设置为白名单源域 (www.example.com)。这是完整的配置
if (isset($_SERVER['HTTP_ORIGIN'])) {
if($_SERVER['HTTP_ORIGIN'] == "http://www.example.com"){
header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
}
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Max-Age: 86400'); // cache for 1 day
}
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
header("Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS");
if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
header("Access-Control-Allow-Headers: Authorization, authorization, Content-Type");
}
这里是完整的请求和响应headers
响应Headers
HTTP/1.1 404 Not Found
Date: Tue, 14 Feb 2017 14:44:34 GMT
Server: Apache/2.4.23 (Unix) OpenSSL/1.0.2h PHP/5.6.24 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.24
Access-Control-Allow-Origin: http://www.example.com
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Authorization, authorization
Content-Length: 514
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
请求Headers
OPTIONS /code/account HTTP/1.1
Host: api.example.com
Connection: keep-alive
Access-Control-Request-Method: GET
Origin: http://www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Access-Control-Request-Headers: authorization
Referer: http://www.example.com/account/payout
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,id;q=0.6,ms;q=0.4
Accept: */*
我已经尝试过其他人可能的解决方案,但没有机会解决这个问题。总是显示 404 并调用了 OPTIONS 方法,而不是应该的 GET 方法。
经过研究和调查,我最终按照@Mika Tuupola 的建议为 Slim 使用了 CORS 中间件。但是因为我使用的是 Slim v2,所以这个 repo https://github.com/palanik/CorsSlim suitable for me. And if you are using Slim v3, use this repo https://github.com/tuupola/cors-middleware 是由我们的救星创建的。希望对您有所帮助!
对于 Slim Framework 2.4 版本,我做了一个小改动来处理 Preflight OPTIONS 请求
\Slim\Slim::registerAutoloader();
$app = new \Slim\Slim();
if($app->request->isOptions()) {
return true;
break;
}
$app->post('/authenticate', 'authenticateUser');
$app->run();
所以这将跟踪所有 OPTIONS 请求并且 return true 并且它对我有用。
我的 .htaccess 文件如下所示
Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "X-Requested-With, Content-Type, Accept, Origin, Authorization"
Header add Access-Control-Allow-Methods "GET, POST, OPTIONS"
希望对您有所帮助。