当前位置: 文江博客话题详情

CORS - 如何进行“预检”?一个http请求?

发布于 2024-12-23 08:05:35 字数 692 浏览 2 评论 0原文

我正在尝试向 WCF 服务(我拥有的)发出跨域 HTTP 请求。我已经阅读了几种处理跨域脚本限制的技术。因为我的服务必须同时容纳 GET 和 POST 请求,所以我无法实现某些 src 是 GET 请求的 URL 的动态脚本标记。由于我可以自由地在服务器上进行更改,因此我开始尝试实现一种解决方法,其中涉及配置服务器响应以包含“Access-Control-Allow-Origin”标头以及带有 OPTIONS 请求的“预检”请求。我从这篇文章中得到了这个想法:让 CORS 工作

在服务器上另一方面,我的 Web 方法正在将“Access-Control-Allow-Origin: *”添加到 HTTP 响应中。我可以看到响应现在确实包含此标头。我的问题是:如何“预检”请求(选项)?我正在使用 jQuery.getJSON 发出 GET 请求,但浏览器立即取消请求,并出现以下臭名昭著的情况:

Access-Control-Allow-Origin 不允许来源 http://localhost

有人熟悉这种 CORS 技术吗?客户需要进行哪些更改才能预检我的请求?

谢谢!

原文

I am trying to make a cross domain HTTP request to WCF service (that I own). I have read several techniques for working with the cross domain scripting limitations. Because my service must accommodate both GET and POST requests I cannot implement some dynamic script tag whose src is the URL of a GET request. Since I am free to make changes at the server I have begun to try to implement a workaround that involves configuring the server responses to include the "Access-Control-Allow-Origin" header and 'preflight' requests with and OPTIONS request. I got the idea from this post : Getting CORS working

At the server side, my web method is adding 'Access-Control-Allow-Origin: *' to the HTTP response. I can see that responses do include this header now. My question is: How do I 'preflight' a request (OPTIONS)? I am using jQuery.getJSON to make the GET request but the browser cancels the request right away with the infamous:

Origin http://localhost is not allowed by Access-Control-Allow-Origin

Is anyone familiar with this CORS technique? What changes need to be made at the client to preflight my request?

Thanks!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

つ可否回来 2024-12-30 08:05:35

在预检请求期间,您应该看到以下两个标头:Access-Control-Request-Method 和 Access-Control-Request-Headers。这些请求标头向服务器请求发出实际请求的权限。您的预检响应需要确认这些标头才能使实际请求发挥作用。

例如,假设浏览器发出包含以下标头的请求:

Origin: http://yourdomain.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-Custom-Header

然后,您的服务器应使用以下标头进行响应:

Access-Control-Allow-Origin: http://yourdomain.com
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: X-Custom-Header

特别注意 Access-Control-Allow-Headers 响应标头。该 header 的值应该与 Access-Control-Request-Headers 请求头中的 headers 相同,并且不能是 '*'。

一旦您将此响应发送到预检请求,浏览器将发出实际请求。您可以在此处了解有关 CORS 的更多信息:http://www.html5rocks.com/en/tutorials/cors/

During the preflight request, you should see the following two headers: Access-Control-Request-Method and Access-Control-Request-Headers. These request headers are asking the server for permissions to make the actual request. Your preflight response needs to acknowledge these headers in order for the actual request to work.

For example, suppose the browser makes a request with the following headers:

Origin: http://yourdomain.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-Custom-Header

Your server should then respond with the following headers:

Access-Control-Allow-Origin: http://yourdomain.com
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: X-Custom-Header

Pay special attention to the Access-Control-Allow-Headers response header. The value of this header should be the same headers in the Access-Control-Request-Headers request header, and it can not be '*'.

Once you send this response to the preflight request, the browser will make the actual request. You can learn more about CORS here: http://www.html5rocks.com/en/tutorials/cors/

回复 原文
萧瑟寒风 2024-12-30 08:05:35

尽管这个帖子可以追溯到 2014 年,但这个问题对我们许多人来说仍然是当前的问题。以下是我在 jQuery 1.12 /PHP 5.6 上下文中处理它的方法:

  • jQuery 仅使用有限的标头发送其 XHR 请求;仅发送了“起源”。
  • 不需要预检请求。
  • 服务器只需检测到这样的请求,并添加“Access-Control-Allow-Origin:”。 $_SERVER['HTTP_ORIGIN'] 标头,在检测到这是跨源 XHR 后。

PHP 代码示例:

if (!empty($_SERVER['HTTP_ORIGIN'])) {
    // Uh oh, this XHR comes from outer space...
    // Use this opportunity to filter out referers that shouldn't be allowed to see this request
    if (!preg_match('@\.partner\.domain\.net$@'))
        die("End of the road if you're not my business partner.");

    // otherwise oblige
    header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']);
}
else {
    // local request, no need to send a specific header for CORS
}

特别是,不要添加 exit;,因为不需要预检。

Although this thread dates back to 2014, the issue can still be current to many of us. Here is how I dealt with it in a jQuery 1.12 /PHP 5.6 context:

  • jQuery sent its XHR request using only limited headers; only 'Origin' was sent.
  • No preflight request was needed.
  • The server only had to detect such a request, and add the "Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN'] header, after detecting that this was a cross-origin XHR.

PHP Code sample:

if (!empty($_SERVER['HTTP_ORIGIN'])) {
    // Uh oh, this XHR comes from outer space...
    // Use this opportunity to filter out referers that shouldn't be allowed to see this request
    if (!preg_match('@\.partner\.domain\.net$@'))
        die("End of the road if you're not my business partner.");

    // otherwise oblige
    header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']);
}
else {
    // local request, no need to send a specific header for CORS
}

In particular, don't add an exit; as no preflight is needed.

回复 原文
~没有更多了~

关于作者

请远离我

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

卷耳

文章 0 评论 0

佚名

文章 0 评论 0

℉服软

文章 0 评论 0

qq_2gSKZM

文章 0 评论 0

凉宸

文章 0 评论 0

gyhjy

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文