1. 首頁
  2. 問答
  3. CORS DELETE失敗,403狀態碼

CORS DELETE失敗,403狀態碼

2012-08-31 125 views
1

我開發了一個CORS REST服務器和一些帶有一些調用其url的JS代碼的頁面。CORS DELETE失敗,403狀態碼

我決定重構JS頁面,現在我的DELETE ajax請求到服務器不再工作了。部分重構涉及從http://localhost/devhttp://dev.local的URL。我在允許的請求源中添加了新的url,實際上我的GET路由仍然可以正常工作。

DELETE改爲現在不允許(403在預檢),我不明白我的錯誤在哪裏。

這裏從開發角度來看,OPTIONSDELETE轉儲:

Request URL:http://localhost:9292/users/101 
Request Method:OPTIONS 
Status Code:200 OK 
Request Headers 
Accept:*/* 
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3 
Accept-Encoding:gzip,deflate,sdch 
Accept-Language:en-US,en;q=0.8 
Access-Control-Request-Headers:origin, accept 
Access-Control-Request-Method:DELETE 
Cache-Control:no-cache 
Connection:keep-alive 
Host:localhost:9292 
Origin:http://dev.local 
Pragma:no-cache 
Referer:http://dev.local/ 
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 
Response Headers 
Access-Control-Allow-Credentials:true 
Access-Control-Allow-Headers:origin, accept 
Access-Control-Allow-Methods:PUT, OPTIONS, DELETE, GET, POST 
Access-Control-Allow-Origin:http://dev.local 
Access-Control-Expose-Headers:Content-Type 
Access-Control-Max-Age:1728000 
Connection:close 
Content-Type:text/plain 
Server:thin 1.3.1 codename Triple Espresso

使用包含 「禁止」 的有效載荷響應。在這裏,DELETE REQ:

Request URL:http://localhost:9292/users/101 
Request Method:DELETE 
Status Code:403 Forbidden 
Request Headers 
DELETE /users/101 HTTP/1.1 
Host: localhost:9292 
Connection: keep-alive 
Cache-Control: no-cache 
Origin: http://dev.local 
Pragma: no-cache 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 
Accept: application/json, text/javascript, */*; q=0.01 
Referer: http://dev.local/ 
Accept-Encoding: gzip,deflate,sdch 
Accept-Language: en-US,en;q=0.8 
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 
Cookie: fbsr_348362375211512=r2WOBYNXrmyP6lKJ7JVAnlU9gfLjela8jRSarGHvQ-M.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUURSRDhOckJ2YnI0MlFLTk5vblhiOGNVcjVXTFpHTDNMcVBjYl9PXzFqd3hKS0tlWFZ1cFVVMi03OXNxOU1BcjFGV2RxTzVtV0RSTllXbkxKcndUQmtZOFpMS3VmeWt0b05xU3ctVzdqNk4zVHBFQVZOM3ZlRzFKeW5lRWpiRkxSdXlPNHpGMDNVd255RFZqZ0xOdHQwMTJCUWVvb0NSR1ZSTVUtQkVhS1ZtaGtKZGdKck5RSDUwWHhQVW5wT1MyY0EiLCJpc3N1ZWRfYXQiOjEzNDY0MjUyMzgsInVzZXJfaWQiOiIxMDI5MDk2MTIzIn0; oauth2-token=; rack.session=BAh7CUkiD3Nlc3Npb25faWQGOgZFRiJFNTc3ZTMxZGZjNWUxYWNhZDU3NWUw%0ANjJkMDBkMDRiNmMxOWI0ODE5Yjk5YjMwMWI3YTMyOTM1ZjVmZWMyMGY1ZEki%0ADXRyYWNraW5nBjsARnsISSIUSFRUUF9VU0VSX0FHRU5UBjsARiItZGY1ZDgz%0AMzMyYTg4ZjBkNGY1ZGU0MGNjNzljMDhkNTUzZDJkMjkxNUkiGUhUVFBfQUND%0ARVBUX0VOQ09ESU5HBjsARiItZWQyYjNjYTkwYTRlNzIzNDAyMzY3YTFkMTdj%0AOGIyODM5Mjg0MjM5OEkiGUhUVFBfQUNDRVBUX0xBTkdVQUdFBjsARiItY2M5%0AZjZmZWM2NTJhNDI1OGJjNmQyOTI4NzA1MjE3OWFiMWUwZDE0N0kiB2lkBjsA%0ARmlqSSIObG9nZ2VkX2luBjsARlQ%3D%0A--c1a452275c10bd0ebe0e21fe7925d1fe7349c46f 
Response Headers 
HTTP/1.1 403 Forbidden 
X-Frame-Options: sameorigin 
Content-Type: text/plain 
Set-Cookie: rack.session=BAh7CkkiD3Nlc3Npb25faWQGOgZFRiJFNTc3ZTMxZGZjNWUxYWNhZDU3NWUw%0ANjJkMDBkMDRiNmMxOWI0ODE5Yjk5YjMwMWI3YTMyOTM1ZjVmZWMyMGY1ZEki%0ADXRyYWNraW5nBjsARnsISSIUSFRUUF9VU0VSX0FHRU5UBjsARiItZGY1ZDgz%0AMzMyYTg4ZjBkNGY1ZGU0MGNjNzljMDhkNTUzZDJkMjkxNUkiGUhUVFBfQUND%0ARVBUX0VOQ09ESU5HBjsARiItZWQyYjNjYTkwYTRlNzIzNDAyMzY3YTFkMTdj%0AOGIyODM5Mjg0MjM5OEkiGUhUVFBfQUNDRVBUX0xBTkdVQUdFBjsARiItY2M5%0AZjZmZWM2NTJhNDI1OGJjNmQyOTI4NzA1MjE3OWFiMWUwZDE0N0kiB2lkBjsA%0ARmlqSSIObG9nZ2VkX2luBjsARlRJIgljc3JmBjsARiJFNWRjMjdjZThkNTM0%0ANWFhMTU3OGQ2ZDk3NGJjYjZjZGMzMzEwOTFiNTg5OTk1YTMyYTYxOTMzMTgy%0AMTU0N2E2ZA%3D%3D%0A--578809491df1629d183c98a530ccbcf925000b6e; path=/; HttpOnly 
Access-Control-Allow-Origin: http://dev.local 
Access-Control-Allow-Methods: PUT, OPTIONS, DELETE, GET, POST 
Access-Control-Expose-Headers: Content-Type 
Access-Control-Max-Age: 1728000 
Access-Control-Allow-Credentials: true 
Vary: Origin 
Connection: close 
Server: thin 1.3.1 codename Triple Espresso

的任何意見或建議,以確定問題?

謝謝,達里奧。

來源

2012-08-31 Dario

+1

請求的CORS部分看起來很好。您收到403的事實意味着在比CORS更深層次上出現問題。你如何處理對http://dev.local的身份驗證?您確定將正確的身份驗證憑證發送到服務器嗎? – monsur

+0

在我的JS中,我使用jQuery和xhrFields一起使用$ .ajax:{withCredentials:true},但我也嘗試過使用這裏提供的墊片:http://www.nczonline.net/blog/2010/05/25 /跨域的Ajax-與交原點資源共享/。服務器端我使用'機架cors'寶石。 – Dario

+0

你的服務器是否需要認證?如果是這樣,它使用什麼樣的身份驗證? – monsur

回答

1

經過搜索和monsur的意見(他幫助我認識到客戶端的所有是正確的),我所提出的機架日誌級別調試水平,我發現通過機架防止了「攻擊 :: Protection :: RemoteToken「指出問題是Sinatra使用rack-protection的錯誤配置。

默認情況下,由於引用者不同,我的應用程序在CSRF保護中失敗;禁用:

set :protection, :except => [:remote_token, :frame_options]

它的工作原理。

來源

2012-09-12 09:16:00 Dario

相關問題

 相關問題