我刚开始使用Cross Origin Resource Sharing并尝试让我的webapp响应CORS请求.我的webapp是在Tomcat 7.0.42上运行的Spring 3.2应用程序.
在我的webapp的web.xml中,我启用了Tomcat CORS过滤器:
<!-- Enable CORS (cross origin resource sharing) -->
<!-- http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter -->
<filter>
<filter-name>CorsFilter</filter-name>
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CorsFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
我的客户端(使用AngularJS 1.2.12编写)正在尝试访问启用了基本身份验证的REST端点.当它发出GET请求时,Chrome首先预检请求,但是从服务器收到403 Forbidden响应:
Request URL:http://dev.mydomain.com/joeV2/users/listUsers
Request Method:OPTIONS
Status Code:403 Forbidden
Request Headers:
OPTIONS /joeV2/users/listUsers HTTP/1.1
Host: dev.mydomain.com
Connection: keep-alive
Cache-Control: max-age=0
Access-Control-Request-Method: GET
Origin: http://localhost:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
Access-Control-Request-Headers: accept, authorization
Accept: */*
Referer: http://localhost:8000/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Response Headers:
HTTP/1.1 …对于一个项目,我正在查看各种HTML5和Javascript元素以及它们周围的安全性,我正试图让我的头脑刚刚绕过CORS.
根据我的测试,如果我删除..
<?php
header("Access-Control-Allow-Origin: *");
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
?>
..从试图访问的页面我在Chrome上的控制台日志中看到以下内容:
XMLHttpRequest cannot load http://www.bla.com/index.php. Origin http://bla2.com is not allowed by Access-Control-Allow-Origin.
我理解这是正确的,但Wireshark在返回时显示HTTP/1.1 200 OK,数据显示所请求页面的来源.那么只是浏览器和Javascript阻止responseText以任何实质性方式使用,即使它实际上被转移了吗?
代码如下:
function makeXMLRequest() {
xmlhttp=new XMLHttpRequest();
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState==4) {
alert(xmlhttp.responseText);
}
}
xmlhttp.open("GET","http://www.bla.com/index.php",true);
xmlhttp.send();
}
提前致谢.
这三个标题是使用PHP添加的
header('Content-Type: application/json; charset=UTF-8;');
header('Access-Control-Allow-Methods: GET, POST');
header('Access-Control-Allow-Origin: *');
发送的所有标头是:
HTTP/1.1 200 OK
Date: Mon, 30 Jun 2014 06:39:29 GMT
Server: Apache
X-Powered-By: PHP/5.3.28
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Origin: *
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Cache-Control: max-age=1, private, must-revalidate
Content-Length: 20
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=UTF-8;
然而,当尝试使用 $.json 或 $.post 定位此服务器时,我在 Chrome 控制台中收到此错误:
XMLHttpRequest cannot load http://cms.webdevguru.co.uk/gurucms.php?mode=addto&apikey=606717496665bcba. No 'Access-Control-Allow-Origin' header is present on the …