没有为OPTIONS Ajax请求设置标头

Question

我有一个ascx页面GetToken.ashx.

public void ProcessRequest (HttpContext context) {
    context.Response.ContentType = "text/plain";
    context.Response.AppendHeader("Access-Control-Allow-Origin", "*");
    context.Response.Write(Token.CreateToken());
}

当我AJAX到这个页面时,它返回以下标题:

Request Method:GET
Status Code:200 OK
Access-Control-Allow-Origin:*
Cache-Control:private
Content-Length:36
Content-Type:text/plain; charset=utf-8
Date:Tue, 14 Apr 2015 17:20:53 GMT
Server:Microsoft-IIS/8.5
X-AspNet-Version:4.0.30319
X-Powered-By:ASP.NET

当发出AJAX请求的页面放在沙盒iFrame中时,它会显示错误:

XMLHttpRequest cannot load https://127.0.0.1:112/handlers/gettoken.ashx. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

并返回标题:

Request Method:OPTIONS
Status Code:200 OK
Allow:OPTIONS, TRACE, GET, HEAD, POST
Content-Length:0
Date:Tue, 14 Apr 2015 17:30:14 GMT
Public:OPTIONS, TRACE, GET, HEAD, POST
Server:Microsoft-IIS/8.5
X-Powered-By:ASP.NET

我似乎无法获得OPTIONS添加标头的请求.添加allow-same-origin到沙箱属性会将请求更改为a GET,但我不希望授予iFrame这些权限.

Answer 1

我认为你打算写ashx,而不是ascx.该ProcessRequest (HttpContext context)方法的存在表明它是一个通用的处理程序而不是用户控件.

我做了一个非常简单的页面来测试:

<%@ Page Language="C#" AutoEventWireup="true" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
    <script type="text/javascript" src="Scripts/jquery-1.4.1.js"></script>
</head>
<body>
    <div id="testCorsDiv">
    </div>
    <script type="text/javascript">
        $.ajax({
            type: "GET",
            url: "/Handler/testCors.ashx",
            dataType: "text",
            success: function (theData) { $("#testCorsDiv").text(theData); },
            error: function (theData) { alert('error'); }
        });
    </script>
    <% if(string.IsNullOrEmpty(Request.QueryString["sandboxed"])) { %>
    <iframe src="http://127.0.0.1:49253/SandboxTest.aspx?sandboxed=true" sandbox="allow-scripts" width="600">
    </iframe>
    <% } %>
</body>
</html>

我加载页面http://localhost:49253/SandboxTest.aspx.然后页面发出ajax请求http://localhost:49253/Handler/testCors.ashx并将其输出放入testCorsDivdiv中.这会生成一个直接GET处理程序(因为它来自同一个原点)并且输出被插入.

在页面中也是一个沙盒iframe,使用url加载相同的页面http://127.0.0.1:49253/SandboxTest.aspx.这?sandboxed=true是为了防止iframe以递归方式加载内部iframe.然后,在iframe中加载的页面将尝试向其发出ajax请求http://127.0.0.1:49253/Handler/testCors.ashx并在其自己的testCorsDivdiv 副本中显示输出.

只要沙盒iframe allow-scripts就像魅力一样.的iframe产生OPTIONS看起来像该请求(从提琴手,与铬测试):

OPTIONS http://127.0.0.1:49253/Handler/testCors.ashx HTTP/1.1
Host: 127.0.0.1:49253
Connection: keep-alive
Cache-Control: max-age=0
Access-Control-Request-Method: GET
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90     Safari/537.36
Access-Control-Request-Headers: accept, x-requested-with
Accept: */*
Referer: http://127.0.0.1:49253/SandboxTest.aspx?sandboxed=true
Accept-Encoding: gzip, deflate, sdch
Accept-Language: fi-FI,fi;q=0.8,en-US;q=0.6,en;q=0.4

我的testCors.ashx处理程序然后吐出一些标题,说这看起来很好,然后浏览器跟进一个GET它只是工作.

这样testCors.ashx做:

public void ProcessRequest(HttpContext context)
{
    context.Response.ContentType = "text/plain";
    context.Response.AppendHeader("Access-Control-Allow-Origin", "*");
    context.Response.AppendHeader("Access-Control-Allow-Headers", "content-type, x-requested-with, accept");
    context.Response.AppendHeader("Access-Control-Allow-Methods", "POST, OPTIONS, GET");
    context.Response.Write("Hello World");
}

所以我的测试表明应该可以做你想做的事情.有一件事可能是一个问题,如果您的处理程序只能由经过身份验证/授权的用户访问.如您所见,OPTIONS请求尚未向处理程序发送cookie.但另一方面,你的问题是对你的选择请求的回应是Status Code:200.我想4**如果缺少必需的身份验证cookie ,那将是一些.

总结一下,我真的不知道你的情况有什么问题,但也许(？)我的简单示例页面可以为你提供一些线索,帮助你自己找到问题.