XMLHttpRequest发起的请求的凭据模式由withCredentials属性

时间:2017-12-11 10:51:45

标签: python django cors django-cors-headers

在我提出这个问题之前,我已经阅读了这个related post

在我的settings.py中:

INSTALLED_APPS = [
    ...
    'corsheaders',
]

CORS_ORIGIN_ALLOW_ALL = False
CORS_ALLOW_CREDENTIALS = True
CORS_ORIGIN_WHITELIST = (
        'http://103.200.30.76'
        )

我的网站前端是使用Apache listen 80端口,我使用

python3 manage.py runserver 103.200.30.76:8001

但我还是得到了吼叫错误:

  

无法加载http://103.200.30.76:8001/api/website/websitemanage/footerreconmend/list/:对预检请求的响应未通过访问控制检查:' Access-Control-Allow-Origin'响应中的标题不能是通配符' *'当请求的凭据模式为' include'时。起源' http://103.200.30.76'因此不允许访问。 XMLHttpRequest发起的请求的凭证模式由withCredentials属性控制。

其中一个请求是这样的:

General:

Request URL:http://103.200.30.76:8001/api/website/websitemanage/homepagefunctionshow/list/
Request Method:OPTIONS
Status Code:200 OK
Remote Address:103.200.30.76:8001
Referrer Policy:no-referrer-when-downgrade

Response Headers

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:accept, accept-encoding, authorization, content-type, dnt, origin, user-agent, x-csrftoken, x-requested-with
Access-Control-Allow-Methods:DELETE, GET, OPTIONS, PATCH, POST, PUT
Access-Control-Allow-Origin:http://103.200.30.76
Access-Control-Max-Age:86400
Content-Length:0
Content-Type:text/html; charset=utf-8
Date:Mon, 11 Dec 2017 02:44:12 GMT
Server:WSGIServer/0.2 CPython/3.5.2
Vary:Origin
X-Frame-Options:SAMEORIGIN

Request Headers:

Accept:*/*
Accept-Encoding:gzip, deflate
Accept-Language:zh-CN,zh;q=0.9,en;q=0.8
Access-Control-Request-Headers:access-control-allow-origin,x-requested-with
Access-Control-Request-Method:GET
Connection:keep-alive
Host:103.200.30.76:8001
Origin:http://103.200.30.76
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36

那么,请问谁可以帮助我呢?

修改

我发现,如果我使用bellow命令(disable-web-security)打开Chrome,我就不会遇到这个问题。

open -a "Google Chrome" --args --disable-web-security --user-data-dir

编辑 - 2

我尝试了Naqib Hakimi的回答,使用了中间件:

class AccessControl(MiddlewareMixin):
    def process_request(self, request):

        if 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' in request.META:
            response = http.HttpResponse()
            response["Access-Control-Allow-Origin"]= "*"
            response["Access-Control-Allow-Credentials"] = "true"
            response["Access-Control-Allow-Methods"]= "GET,HEAD,OPTIONS,POST,PUT"
            response["Access-Control-Allow-Headers"] = "Authentication , Authorization , X-CSRF-Token , Access-Control-Allow-Credentials , Access-Control-Allow-Methods , Access-Control-Allow-Origin , Access-Control-Allow-Headers, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers"

            return response

        return None

但仍有这个问题。

我在调试器中检查了请求:

enter image description here

request.META中没有HTTP_ACCESS_CONTROL_REQUEST_METHOD

1 个答案:

答案 0 :(得分:0)

默认情况下,django剂量不允许所有域的Access-Control-Allow-Origin,您应该添加MIDDLEWARE_CLASSES来执行此操作。 

class AccessControl(object):
    def process_request(self, request):

        if 'HTTP_ACCESS_CONTROL_REQUEST_METHOD' in request.META:
            response = http.HttpResponse()
            response["Access-Control-Allow-Origin"]= "*"
            response["Access-Control-Allow-Credentials"] = "true"
            response["Access-Control-Allow-Methods"]= "GET,HEAD,OPTIONS,POST,PUT"
            response["Access-Control-Allow-Headers"] = "Authentication , Authorization , X-CSRF-Token , Access-Control-Allow-Credentials , Access-Control-Allow-Methods , Access-Control-Allow-Origin , Access-Control-Allow-Headers, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers"

            return response

        return None

然后在setting.py 

MIDDLEWARE_CLASSES = [
    ...
    'app.filename.AccessControl',

    ]

这将允许来自所有域的请求

相关问题
最新问题