我有一个非常奇怪的问题。我有一个Webservice构建,其中包含一个简单的Perl CGI脚本作为API的包装器(允许受限制的跨源控制)。
无论如何,为了允许跨源请求我设置了这些标题:
Content-Type: text/plain
Access-Control-Allow-Origin: $origin
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Accept, Accept-Language, Content-Language
Content-Security-Policy: connect-src *
X-Content-Security-Policy: connect-src *
X-WebKit-CSP: connect-src *
Access-Control-Max-Age: 1728000
Vary: Accept-Encoding, Origin
其中my $origin = $ENV{HTTP_ORIGIN} // '*';。
当脚本请求预期的Ressource时,将遵循Wrapper的响应(从Firefox复制):
HTTP/1.1 200 OK
Date: Wed, 20 Jan 2016 12:54:48 GMT
Server: Apache
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Accept, Accept-Language, Content-Language
content-security-policy: connect-src *, frame-ancestors 'self'
X-Content-Security-Policy: connect-src *
X-WebKit-CSP: connect-src *
Access-Control-Max-Age: 1728000
Vary: Accept-Encoding,Origin
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain
浏览器给出了以下错误:
XMLHttpRequest cannot load http://www.example.com/cgi-bin/wrapper.pl. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example2.com' is therefore not allowed access.`
我还使用curl和Postman对来电进行了测试,但这仍然符合预期。
问题是所有浏览器似乎都忽略了Access-Control-Allow-Origin标题,即使设置了它。
答案 0 :(得分:2)
好的,我发现了问题。错误是我仅在Access-Control-Allow-Origin请求中发送Access-Control-Allow-Headers和OPTIONS,而不是正常POST。