如何允许跨源资源共享?
how do I allow cross origin resource sharing?
我不知道为什么我的 ajax CORS 不工作..
ajax
$(document).ready(function(){
var xhr = new XMLHttpRequest();
$.ajax({
url: "SERVER_URL_AND_PARAMETERS",
type:"POST",
beforeSend:function(xhr){
xhr.setRequestHeader("Access-Control-Allow-Origin", "*");
xhr.setRequestHeader("Access-Control-Allow-Methods", "GET, POST");
},
dataType:"json",
crossDomain: true,
success:function(data, textStatus, xhr){
alert(data);
},
error:function(xhr,status,error){
alert("code:"+xhr.textStatus+"\n"+"message:"+error.responseText+"\n"+"error:"+error.log);
}
});
});
回应headers
Allow:GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
Cache-Control:no-cache="set-cookie, set-cookie2"
Connection:Keep-Alive
Content-Language:ko-KR
Content-Length:0
Content-Type:text/plain
Date:Mon, 02 Nov 2015 07:19:54 GMT
Expires:Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive:timeout=10, max=100
Set-Cookie:SOME_COOKIES; Expires=Tue, 01-Nov-16 07:19:53 GMT; Path=/
X-UA-Compatible:IE=EmulateIE8, requiresActiveX=true
请求headers
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:accept, access-control-allow-headers, access-control-allow-methods, access-control-allow-origin
Access-Control-Request-Method:POST
Connection:keep-alive
Host:SERVER_URL
Origin:http://CLIENT_URL
Referer:http://CLIENT_URL/AND/JSP_FILE_PATH.jsp?lineCd=CODE1&prdtCode=CODE2
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
chrome 错误详情
MLHttpRequest cannot load SERVER_URL_AND_PARAMETER Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'CLIENT_URL' is therefore not allowed access.
我不知道我的代码有什么问题。我正在开发 CLIENT_URL 端 Web 应用程序。
CORS headers 例如 "Access-Control-Allow-Origin" 必须由服务器设置,而不是由客户端设置。是服务器向客户端授予 CORS 访问权限,而不是相反。您无法通过浏览器授予自己 CORS 访问权限。
来自 MDN section on CORS,这里有一段描述性引述:
The Cross-Origin Resource Sharing standard works by adding new HTTP
headers that allow servers to describe the set of origins that are
permitted to read that information using a web browser. Additionally,
for HTTP request methods that can cause side-effects on user data (in
particular, for HTTP methods other than GET, or for POST usage with
certain MIME types), the specification mandates that browsers
"preflight" the request, soliciting supported methods from the server
with an HTTP OPTIONS request method, and then, upon "approval" from
the server, sending the actual request with the actual HTTP request
method. Servers can also notify clients whether "credentials"
(including Cookies and HTTP Authentication data) should be sent with
requests.
特别注意 "allow servers to describe the set of origins that are permitted to read that information using a web browser" 部分。
我不知道为什么我的 ajax CORS 不工作..
ajax
$(document).ready(function(){
var xhr = new XMLHttpRequest();
$.ajax({
url: "SERVER_URL_AND_PARAMETERS",
type:"POST",
beforeSend:function(xhr){
xhr.setRequestHeader("Access-Control-Allow-Origin", "*");
xhr.setRequestHeader("Access-Control-Allow-Methods", "GET, POST");
},
dataType:"json",
crossDomain: true,
success:function(data, textStatus, xhr){
alert(data);
},
error:function(xhr,status,error){
alert("code:"+xhr.textStatus+"\n"+"message:"+error.responseText+"\n"+"error:"+error.log);
}
});
});
回应headers
Allow:GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
Cache-Control:no-cache="set-cookie, set-cookie2"
Connection:Keep-Alive
Content-Language:ko-KR
Content-Length:0
Content-Type:text/plain
Date:Mon, 02 Nov 2015 07:19:54 GMT
Expires:Thu, 01 Dec 1994 16:00:00 GMT
Keep-Alive:timeout=10, max=100
Set-Cookie:SOME_COOKIES; Expires=Tue, 01-Nov-16 07:19:53 GMT; Path=/
X-UA-Compatible:IE=EmulateIE8, requiresActiveX=true
请求headers
Accept:*/*
Accept-Encoding:gzip, deflate, sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:accept, access-control-allow-headers, access-control-allow-methods, access-control-allow-origin
Access-Control-Request-Method:POST
Connection:keep-alive
Host:SERVER_URL
Origin:http://CLIENT_URL
Referer:http://CLIENT_URL/AND/JSP_FILE_PATH.jsp?lineCd=CODE1&prdtCode=CODE2
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
chrome 错误详情
MLHttpRequest cannot load SERVER_URL_AND_PARAMETER Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'CLIENT_URL' is therefore not allowed access.
我不知道我的代码有什么问题。我正在开发 CLIENT_URL 端 Web 应用程序。
CORS headers 例如 "Access-Control-Allow-Origin" 必须由服务器设置,而不是由客户端设置。是服务器向客户端授予 CORS 访问权限,而不是相反。您无法通过浏览器授予自己 CORS 访问权限。
来自 MDN section on CORS,这里有一段描述性引述:
The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser. Additionally, for HTTP request methods that can cause side-effects on user data (in particular, for HTTP methods other than GET, or for POST usage with certain MIME types), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.
特别注意 "allow servers to describe the set of origins that are permitted to read that information using a web browser" 部分。