3
這是在跨源資源共享的上下文中。對於預檢請求,服務器不發送標題集。 當一個有效的cookie沒有通過「選項請求」傳遞時,它的響應中的服務器沒有發送我設置的頭文件,但是它發送的是「200 OK」。我用捲曲檢查這是可以看到下面(很明顯,我代替我有效的cookie與虛擬「xyzabcde」在這裏)繞過「選項請求」的身份驗證(因此所有頭都在響應中發送)
無cookie中的捲曲請求:
curl -H "Origin: app2_url" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: accept, origin, content-type" -X OPTIONS --verbose app1_url/jsonrpc.cgi
(以下發送響應... )
HTTP/1.1 200 OK
Date: Tue, 01 Oct 2013 11:37:36 GMT
Server: Apache
Expires: Tue, 01 Oct 2013 11:37:36 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Expires: Tue, 01 Oct 2013 11:37:36 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 4531
Content-Type: text/html; charset=utf-8
與 「-H曲奇:xyzabcde」:
curl -H "Origin: app2_url" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: accept, origin, content-type" "-H Cookie:xyzabcde" -X OPTIONS --verbose app1_url/jsonrpc.cgi
(發送響應下面...)
HTTP/1.1 403 Forbidden
Date: Wed, 02 Oct 2013 18:48:34 GMT
Server: Apache
X-frame-options: ALLOW-FROM app2_url
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With
Access-Control-Allow-Methods: GET, POST, HEAD, PUT, OPTIONS
Access-Control-Allow-Origin: app2_url
Access-Control-Max-Age: 1800
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8
Apache的配置看起來像......
<VirtualHost *:443>
.
.
Header always set X-Frame-Options "ALLOW-FROM app2_url"
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Headers "accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With"
Header always set Access-Control-Allow-Methods "GET, POST, HEAD, PUT, OPTIONS"
Header always set Access-Control-Allow-Origin "app2_url"
Header always set Access-Control-Max-Age "1800"
.
.
.
<Directory /app1/dir/>
Options Includes FollowSymLinks ExecCGI MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType Net
PubcookieInactiveExpire -1
PubcookieAppID app1.company.com
require valid-user
</Directory>
.
.
</VirtualHost>
我怎樣才能讓所有的頭以響應身份認證的請求被髮送? 我想,選項請求理想情況下應該不需要任何身份驗證。
對我無效.. –
這裏有一個語法錯誤。部分應該用 LimitExcept>關閉。在這個例子中它缺少「/」。 – user1751825