不记名令牌已被 CORS 政策阻止
我在跨源访问时遇到问题。 当我发送授权标头中没有不记名令牌的请求时,它可以工作。 当我使用不记名令牌执行相同的请求时,我收到以下警报:
从源访问“XXX/API/TEST/TEST.php”处的 XMLHttpRequest “http://localhost:4200”已被 CORS 策略阻止:响应 预检请求未通过访问控制检查:它没有 HTTP 正常状态。
在我的 php API 中,我有以下标头:
header("Access-Control-Allow-Origin: *");
header("Content-Type: application/json; charset=UTF-8");
header("Access-Control-Allow-Methods: *");
header("Access-Control-Max-Age: 3600");
header ("Access-Control-Allow-Headers: Content-Type, Authorization, Accept, Accept-Language,X-Authorization");
在我的 js 脚本中,我有:
xhr.setRequestHeader("Accept", "application/json");
xhr.setRequestHeader("Authorization", "Bearer " + getCookie(COOKIE_NAME));
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
我看到了以下建议:
在客户端上,指定要包含在请求中的授权标头。
在服务器上,使用 Access-Control-Allow-Origin 标头进行响应,其中包含执行请求的源或通配符。
在服务器上,以 Access-Control-Allow-Headers: Authorization 进行响应,通知浏览器允许请求中的 Authorization 标头。
但我无法让它发挥作用。
编辑1 我发现出了什么问题: 当我使用方法 PUT 或 DELETE 时,它会发送一个以“OPTIONS”作为方法类型的预检请求。 但我的 php 代码不允许选项,我在标题后添加以下代码,它工作正常!
if($_SERVER['REQUEST_METHOD'] === "OPTIONS"){
http_response_code(200);
exit;
}
i have trouble with cross origin access.
When i send a request without a bearer token in Authorization header, it's work.
When i do the same request with a bearer token, i have the following alert :
Access to XMLHttpRequest at 'XXX/API/TEST/TEST.php' from origin
'http://localhost:4200' has been blocked by CORS policy: Response to
preflight request doesn't pass access control check: It does not have
HTTP ok status.
In my php API i have the Following header :
header("Access-Control-Allow-Origin: *");
header("Content-Type: application/json; charset=UTF-8");
header("Access-Control-Allow-Methods: *");
header("Access-Control-Max-Age: 3600");
header ("Access-Control-Allow-Headers: Content-Type, Authorization, Accept, Accept-Language,X-Authorization");
In my js script i have that :
xhr.setRequestHeader("Accept", "application/json");
xhr.setRequestHeader("Authorization", "Bearer " + getCookie(COOKIE_NAME));
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
I have seen the folowing advice :
On the client, specify the Authorization header you want to include in the request.
On the server, respond with Access-Control-Allow-Origin header, containing the origin that performs the request, or a wildcard.
On the server, respond with Access-Control-Allow-Headers: Authorization to inform the browser that the Authorization header in the request is permitted.
But i can't get it work.
EDIT 1
I have found what was wrong :
When i use method PUT or DELETE it send a preflight request with "OPTIONS" as method type.
But my php code didn't allow OPTIONS, i add the following code after my headers and it's work fine !
if($_SERVER['REQUEST_METHOD'] === "OPTIONS"){
http_response_code(200);
exit;
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论