0

我有一个由 HTTP 提供的页面。客户端代码向同一域发送 AJAX 授权请求,但使用 HTTPS。(所以它是CORS)。

FireFox 生成此请求: // 域和 cookie 已更改

OPTIONS /auth/registration/json/info/ HTTP/1.1
Host: my-site.dev
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-ru,pl;q=0.8,ru;q=0.6,en-us;q=0.4,en;q=0.2
Accept-Encoding: gzip, deflate
Origin: http://my-site.dev
Access-Control-Request-Method: GET
Access-Control-Request-Headers: x-requested-with
Connection: keep-alive

我的服务器响应:

HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Thu, 07 Nov 2013 09:55:55 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: https://my-site.dev
Vary: Cookie
Access-Control-Allow-Origin: http://my-site.dev
Access-Control-Allow-Methods: OPTIONS, GET
Set-Cookie: csrftoken=foobar; expires=Thu, 06-Nov-2014 09:55:55 GMT; Max-Age=31449600; Path=/

0

FireBug 显示 OPTIONS 请求成功,但之后不触发 GET 请求:

在此处输入图像描述

我的回答有什么问题?

4

1 回答 1

0

Qantas 94 Heavy,你是对的。应该只有一个Access-Control-Allow-Origin标头,只有一个域:域,在Origin请求标头中指定。

这是 Firefox 接受的正确答案:

HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Thu, 07 Nov 2013 09:55:55 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Cookie
Access-Control-Allow-Origin: http://my-site.dev      // The same as `Origin`
Access-Control-Allow-Methods: OPTIONS, GET
Set-Cookie: csrftoken=foobar; expires=Thu, 06-Nov-2014 09:55:55 GMT; Max-Age=31449600; Path=/

0
于 2013-11-08T04:56:48.550 回答