[翻译]  CORS request failure with jQuery using withCredentials and client certificates

[CHINESE]  使用withCredentials和客户端证书使用jQuery的CORS请求失败


I can't figure out why this CORS request is failing to return data.

我无法弄清楚为什么这个CORS请求无法返回数据。

I'm using Catalyst MVC on the backend, Firefox 24.0 as a browser. jQuery 1.9.1. Please note the following:

我在后端使用Catalyst MVC,使用Firefox 24.0作为浏览器。 jQuery 1.9.1。请注意以下事项:

  1. otherdomain.com requires a client certificate.
  2. otherdomain.com需要客户端证书。
  3. hitting the resource directly returns expected data. (https://otherdomain.com/resource/1) returns proper data.
  4. 直接命中资源会返回预期的数据。 (https://otherdomain.com/resource/1)返回正确的数据。

I have a simple page that tests the request:

我有一个测试请求的简单页面:

<script type='text/javascript'>
                function get_data() {
                        console.log("running");
                        $.ajax({
                                url: "https://otherdomain.com/resource/1",
                                dataType: 'json',
                                type: 'GET',
                                xhrFields: {
                                        'withCredentials': true
                                },
                                crossDomain: true
                        }).success(function(data) {
                                console.log(data)
                                $('#output').html(data);
                        }).error(function(xhr, status, error) {
                                alert("error");
                                console.log(xhr);
                        });
                }

    $(document).ready(function() {
            get_data();
    });
    </script>

</script>

Here are my request headers:

这是我的请求标题:

GET /resource/1 HTTP/1.1
Host: otherdomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://mydomain.com/test.html
Origin: https://mydomain.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

Here are my response headers. (copy of view source from firebug console) I see on my catalyst debug output that the request is served as 200 OK and the content is sent.

这是我的回复标题。 (来自firebug控制台的视图源的副本)我在我的催化剂调试输出上看到请求被提供为200 OK并且内容被发送。

HTTP/1.1 200 OK
Date: Mon, 28 Oct 2013 19:31:08 GMT
Server: HTTP::Server::PSGI
Vary: Content-Type
Content-Length: 653
Content-Type: application/json
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 1800
X-Catalyst: 5.90030
Via: 1.1 otherdomain.com

And the error is thrown from the ajax call:

并且从ajax调用抛出错误:

readyState: 0
responseText: ""
status: 0
statusText: "error"

firebug shows the response body as empty from the request event though it's a 200 OK.

firebug将请求事件中的响应主体显示为空,尽管它是200 OK。

I thought that when using 'withCredentials' a pre-flight request was required but I don't see an OPTIONS being sent via firebug.

我认为在使用'withCredentials'时需要一个飞行前请求,但我没有看到通过firebug发送的OPTIONS。

Also, i can see no Access-Control-Request-Header being added by my request, so I'm not returning any Access-Control-Allow-Headers from the server.

此外,我可以看到我的请求没有添加Access-Control-Request-Header,所以我没有从服务器返回任何Access-Control-Allow-Headers。

Now, the frontend of Catalyst is Apache2, and I'm using proxypass in a virtual host to send the request to catalyst on localhost:8080. I'm not sure if that has any bearing but thought it might be important. It should be transparent to the browser though.

现在,Catalyst的前端是Apache2,我在虚拟主机中使用proxypass将请求发送到localhost:8080上的catalyst。我不确定这是否有任何影响,但认为这可能很重要。它应该对浏览器透明。

Thanks for any help!

谢谢你的帮助!

2 个解决方案

#1


16  

  1. GET requests are not preflighted. See Here
  2. GET请求不是预检的。看这里
  3. When responding to a credentialed request, server must specify a domain, and cannot use wild carding. (must not be Access-Control-Allow-Origin: *). See Here
  4. 响应凭证请求时,服务器必须指定域,并且不能使用通配符。 (不得为Access-Control-Allow-Origin:*)。看这里

#2


0  

I have a similar issue, where everything works fine in Chrome, but I get 405 for all cross-domain requests in Firefox (and similar problems with IE). I tried adding xhrFields, and the crossDomain flag. I am also using beforeSend to actually do an xhr.withCredentials = true. I made sure that I have hostname match on the service backend. I use the Access-Control-Allow-Credentials header.

我有类似的问题,在Chrome中一切正常,但我在Firefox中的所有跨域请求(以及IE的类似问题)得到405。我尝试添加xhrFields和crossDomain标志。我也在使用beforeSend来实际执行xhr.withCredentials = true。我确保我在服务后端有主机名匹配。我使用Access-Control-Allow-Credentials标头。

The one thing that might be different... I only send these headers when the Origin header is present, because if I don't get Origin, my only response for Access-Control-Allow-Origin could be * because I would not know what the origin is.

可能有所不同的一件事......我只在Origin头存在时发送这些头,因为如果我没有得到Origin,我对Access-Control-Allow-Origin的唯一响应可能是*因为我不知道原点是什么。


注意!

本站转载的文章为个人学习借鉴使用,本站对版权不负任何法律责任。如果侵犯了您的隐私权益,请联系我们删除。



 
© 2014-2018 ITdaan.com 粤ICP备14056181号