2

我正在尝试为我的 django 服务器实现 cors 支持。

设置.py

MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'userdetails.middleware.crossdomainxhr.XsSharing',
)    
XS_SHARING_ALLOWED_CREDENTIALS = 'True'
XS_SHARING_ALLOWED_ORIGINS = '*'
XS_SHARING_ALLOWED_METHODS = ['POST','GET','OPTIONS', 'PUT', 'DELETE']

userdetails.middleware.crossdomainxhr.XsSharing' 正是https://gist.github.com/strogonoff/1369619中的代码

当我在 Chrome 中使用 ajax 脚本调用它时,我收到错误消息:'http://localhost:8002'访问控制允许的 Origin 不允许使用 Origin HTTP(我的本地 Web 服务器所在的位置)知道我在这里做错了什么吗?

ajax 脚本在这里:

<html lang="en">
    <head>
        <meta charset="utf-8" />
        <script src="http://code.jquery.com/jquery-1.10.1.min.js"></script>

        <script>
            $(document).ready(function () {
                var url = 'http://xx.xxx.x.xxx/api/user/register/'; 
              alert("going to make call, see the request/response in browser debuger/inspector");
                $.ajax({
                    type: "POST",
                    contentType: "application/json",
                    dataType: "application/json",
                    url: url,
                    data: JSON.stringify({
                        'firstName': 'Corsnew',
                        'lastName': 'Corsnew',
                        'email': 'corsnewe@cors.com',
                        'password': 'cors',
                    }),

                    processData: false,
                    //contentType: "application/json; charset=utf-8",
//                    accept: 'text/plan',
                      origin: 'localhost',
                   
                    complete: function (data) {
                        console.dir(data);
                    }
                });

            });
        </script>
        <title></title>
    </head>
    <body>
        
    </body>
</html>

对铬的反应是:

HTTP/1.1 200 OK
Date: Tue, 06 Aug 2013 07:33:09 GMT
Server: Apache/2.2.20 (Ubuntu)
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,GET,OPTIONS,PUT,DELETE
Access-Control-Allow-Headers: Content-Type,*
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
4

1 回答 1

2

这两个标题是冲突的:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *

不接受通配符,您需要指定要发送的凭据的来源。您的服务器可以回显传入请求的来源。

( https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Requests_with_credentials )

于 2014-05-05T16:00:58.390 回答