无法在 nginx 上禁用同源策略

Question

我需要在服务器上禁用同源策略。作为背景：我已经通过使用禁用网络安全标志启动 chrome 来验证一切正常。一切都按预期进行。

这是我在 nginx 方面所做的：

upstream phpfcgi {
  server unix:/var/run/php5-fpm.sock; #for PHP-FPM running on UNIX socket
}

server {
listen 80;

root /var/www/yammi2;
    index index.html index.php index.htm;
server_name myserver.ch;

add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Credentials 'true';
    add_header Access-Control-Allow-Headers 'Content-Type,accept,x-wsse,origin';
    add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS, PUT, DELETE';

# strip app.php/ prefix if it is present
    rewrite ^/app\.php/?(.*)$ /$1 permanent;

location / {
    index app.php;
    try_files $uri @rewriteapp;
}

location @rewriteapp {
    rewrite ^(.*)$ /app.php/$1 last;
}

# pass the PHP scripts to FastCGI server from upstream phpfcgi
location ~ ^/(app|app_dev|config)\.php(/|$) {
    fastcgi_pass phpfcgi;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    include fastcgi_params;
    fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param  HTTPS off;

}   

}

当我执行curl调用时：curl -I myserver.ch，我得到以下结果：

HTTP/1.1 302 Found
Server: nginx/1.1.19
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.3.10-1ubuntu3.9
Set-Cookie: PHPSESSID=gvcl3v533ib91l2c6v888gl9d3; path=/
cache-control: no-cache
date: Fri, 10 Jan 2014 07:01:18 GMT
location: http://myserver.ch/admin/restaurant
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Content-Type,accept,x-wsse,origin
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE

所以至少看起来标头设置正确，但我进行 ajax 调用时的结果是：

OPTIONS http://myserver.ch/api/v1/restaurant/closest?max=50&lat=47&lon=8 500 (Internal Server Error) jquery-2.0.3.js:7845
OPTIONS http://myserver.ch/api/v1/restaurant/closest?max=50&lat=47&lon=8 Origin http://localhost is not allowed by Access-Control-Allow-Origin. jquery-2.0.3.js:7845
XMLHttpRequest cannot load http://myserver.ch/api/v1/restaurant/closest?max=50&lat=47&lon=8. Origin http://localhost is not allowed by Access-Control-Allow-Origin. overview.html:1

我对“内部服务器错误”有点困惑，但我想既然它与标志一起工作，这一定与同源有关。

服务器应用程序是一个 symphony 应用程序。我希望我没有错过任何事情。知道如何解决这个问题吗？甚至如何调试它？

也许最后一个剪断，这是我如何拨打电话的（同样，不应该是问题，因为使用禁用安全标志，它可以按预期工作）：

$.ajax({
          url: url,
          headers: {"x-wsse": getWsseHeader()},
          beforeSend: function (request) {
                request.setRequestHeader("x-wsse", getWsseHeader());
          },
          success: function() {

          },
          error: function(error) {
            console.log(error.statusText);
          }
        });

Answer 1

改变这一行

add_header Access-Control-Allow-Origin *;

作为

add_header 'Access-Control-Allow-Origin' '';