在'Access-Control-Allow-Origin'中不能使用通配符'*',即使它不是通配符

时间:2016-09-09 17:37:56

标签: php ajax backbone.js cors slim

您好我遇到了PHP和marionette.js的奇怪错误。我有一个由marionette.js(扩展backbone.js)构成的前端,它需要对我在其他URL上运行的后端API进行CORS调用。我已经覆盖了主干的同步功能以允许withCredentials和stuff:

var proxiedSync = Backbone.sync;

  Backbone.sync = function(method, model, options) {
    options || (options = {});

    if (!options.crossDomain) {
      options.crossDomain = true;
    }

    if (!options.xhrFields) {
      options.xhrFields = {withCredentials:true};
    }

    return proxiedSync(method, model, options);
  };

在我的Slim 3.5后端中,我为CORS标题设置了这个中间件:

$app->add(function ($req, $res, $next) {
$response = $next($req, $res);
return $response->withHeader('Access-Control-Allow-Credentials', 'false')->withHeader('Access-Control-Allow-Origin', 'http://localhost:4000')
        ->withHeader('Access-Control-Allow-Headers', 'X-Requested-With, Content-Type, Accept, Origin, Authorization, Session')
        ->withHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD');});

现在我在chrome调试工具中得到了当前的响应:

  

XMLHttpRequest无法加载xxxxx。当credentials标志为true时,不能在'Access-Control-Allow-Origin'标头中使用通配符'*'。因此,不允许原点“http://localhost:4000”访问。 XMLHttpRequest的凭证模式由withCredentials属性控制。

但是,当我查看“网络”选项卡并检查“请求标头”时,我可以清楚地看到Access-Control-Allow-Origin不是通配符,而是“http://localhost:4000”:

HTTP/1.1 200 OK
Date: Fri, 09 Sep 2016 17:35:32 GMT
Server: Apache/2.4.17 (Win64) PHP/7.0.0
X-Powered-By: PHP/7.0.0
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:4000
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Accept, Origin, Authorization, Session
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD
Content-Length: 1130
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

编辑1:这里是我的选择路线

这是我的选择路线:

$app->options('/{routes:.+}', function ($request, $response, $args) {
    return $response;
});

编辑2:预飞行响应和请求

好的,这里是预检响应请求标题的快速更新:

OPTIONS /devsea/login HTTP/1.1
Host: localhost
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: POST
Origin: http://localhost:4000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Access-Control-Request-Headers: content-type
Accept: */*
Referer: http://localhost:4000/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,fr;q=0.6

以下是飞行前请求的响应标头:

HTTP/1.1 200 OK
Date: Fri, 16 Sep 2016 00:49:38 GMT
Server: Apache/2.4.17 (Win64) PHP/5.6.16
X-Powered-By: PHP/5.6.16
Set-Cookie: UserSession=aemsvqf9b7u2c4isdhocq4mre7; expires=Fri, 16-Sep-2016 01:49:38 GMT; Max-Age=3600; path=/
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:4000
Access-Control-Allow-Headers: X-Requested-With, Content-Type, Accept, Origin, Authorization, Session
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, HEAD
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

1 个答案:

答案 0 :(得分:0)

所以我知道这绝对没有意义。但重新启动我的开发机器后,一切都开始工作了。对不起,每个人都有麻烦,也许apache需要重启或其他什么。