我想从页面上一个域发送一个跨域请求到PHP服务器上的其他领域。一切正常,没有凭据(我需要会话),但只要我添加凭据,它不工作。
I am trying to send a cross domain request from a page on one domain to a PHP server on an other domain. Everything works fine without credentials (I need session) but as soon as I add credentials, it don't work.
下面是JS code:
Here is the JS code :
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://phpserver.net',true);
xhr.withCredentials = true ;
xhr.onreadystatechange = function(e) {
if (this.readyState == 4 && this.status == 200) {
alert(this.responseText);
}
}
xhr.send();
请记住,它的工作原理没有凭据。现在还没有警觉。 所以我检查与萤火虫网络:
Please remember that it works without credentials. Now there is no alert. So I inspected with Firebug the network :
请求被正确地由服务器处理,它接收与HTTP code 200,但没有内容。 我查了一下头:
The request is correctly handled by the server, it's received with an HTTP code 200 but there is no content. I checked the headers :
HTTP / 1.1 200 OK
HTTP/1.1 200 OK
日期:星期五,2013年6月14日17点20分十九秒GMT
Date: Fri, 14 Jun 2013 17:20:19 GMT
服务器:Apache / 2.4.2(Win64中)PHP / 5.4.3
Server: Apache/2.4.2 (Win64) PHP/5.4.3
X-Powered-By中:PHP / 5.4.3
X-Powered-By: PHP/5.4.3
访问控制 - 允许 - 产地:*
Access-Control-Allow-Origin: *
访问控制 - 允许-凭据:真正的
access-control-allow-credentials: true
过期:周四,1981年11月19日8时52分零零秒GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
缓存控制:无店面,无缓存,必重新验证,后检查= 0,pre-检查= 0
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
杂注:无缓存
设置Cookie:键= 441wqr3e4cf2456c763c1ea173aa06b5ad284e5f38;到期=周五,6月28日 - 2013十七时二十分19秒格林尼治标准时间 键2 = 248fbaf41cdd698549fdddb341927885;到期=周五,6月28日 - 2013十七时二十分19秒GMT
Set-Cookie: key=441wqr3e4cf2456c763c1ea173aa06b5ad284e5f38; expires=Fri, 28-Jun-2013 17:20:19 GMT key2=248fbaf41cdd698549fdddb341927885; expires=Fri, 28-Jun-2013 17:20:19 GMT
的Content-Length:8
Content-Length: 8
保持活动:超时= 5,最大值= 100
Keep-Alive: timeout=5, max=100
连接:保持活动
的Content-Type:text / html的;字符集= UTF-8
Content-Type: text/html; charset=UTF-8
最后我奇怪的发现: 头的Content-Length真实地反映了真实的内容长度!如果我添加回声富,内容长度的增加由三个等。
And finally my strangest discovery : The header "Content-Length" actually shows the real content length ! If I add an echo "foo", the content-length increase by three and so on.
我看着低谷很多的问题,但是这一次是真正棘手,我无法找到任何解决办法:(
I looked trough lots of questions but this one is really tricky and I can't find any solution :(
修改: 我忘了提,这要求工作,如果不是我使用一个用户脚本和GM_xhr功能xmlHtt prequest对象。
EDIT : I forgot to mention that this request works if instead of the xmlHttpRequest object I use a user-script and the GM_xhr function.
在设置标题访问控制 - 允许-证书
为true,则不能使用通配符头访问控制 - 允许 - 原产地
。也就是说,一个特定的主机必须被指定。
When setting headerAccess-Control-Allow-Credentials
to true, you cannot use a wildcard for header Access-Control-Allow-Origin
. That is, a specific host must be specified.
相反的:
Access-Control-Allow-Origin: *
使用:
Access-Control-Allow-Origin: http://safedomain.com
您甚至可以设置访问控制 - 允许 - 原产地
头在请求获得原产地
头。不知道PHP,但使用Java Servlet的API:
You can even set the Access-Control-Allow-Origin
header to the Origin
header received in the request. Not sure about PHP, but using the Java Servlets API:
String origin = request.getHeader("Origin");
request.setHeader("Access-Control-Allow-Origin", origin);