允许使用 restify 的选项方法 - 预检响应中的 Access-Control-Allow-Headers 不允许请求 header 字段授权
allowing options method with restify - Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response
我正在使用 restify 框架编写一个 nodejs api 应用程序。
我正在为跨域访问启用 cors。
restify配置如下代码:
var restify = require('restify'),
fs = require('fs');
var server = restify.createServer({
certificate: fs.readFileSync(__dirname + '/config/keys/myalcoholist/server.crt'),
key: fs.readFileSync(__dirname + '/config/keys/myalcoholist/server.key'),
name: 'MyAlcoholist',
});
function corsHandler(req, res, next) {
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Headers', 'Origin, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, X-Response-Time, X-PINGOTHER, X-CSRF-Token');
res.setHeader('Access-Control-Allow-Methods', '*');
res.setHeader('Access-Control-Expose-Headers', 'X-Api-Version, X-Request-Id, X-Response-Time');
res.setHeader('Access-Control-Max-Age', '1000');
return next();
}
function optionsRoute(req, res, next) {
res.send(200);
return next();
}
server.use(restify.bodyParser());
server.use(restify.CORS({
origins: ['http://127.0.0.1', 'https://myalcoholist.com', 'https://www.myalcoholist.com'], // defaults to ['*']
credentials: true, // defaults to false
headers: ['x-foo'], // sets expose-headers
methods: ['GET','PUT','DELETE','POST','OPTIONS']
}));
server.opts('/\.*/', corsHandler, optionsRoute);
server.listen(8888, function() {
console.log('%s listening at %s', server.name, server.url);
});
如您所见,我实现了一个 corsHandler 函数来处理 OPTIONS 请求。问题是我遇到的是,当我从 https://myalcoholist.com 访问此 nodejs api 时,我在 google chrome 浏览器中收到以下错误:
XMLHttpRequest cannot load https://myalcoholist.com:8888/cocktail/get_latest_drinks. Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response.
我为什么会收到这个错误有什么想法吗?
看来答案很简单,我需要在允许的headers上加上Authorization。所以我的 corsHandler 函数如下:
function corsHandler(req, res, next) {
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Headers', 'Origin, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, X-Response-Time, X-PINGOTHER, X-CSRF-Token,Authorization');
res.setHeader('Access-Control-Allow-Methods', '*');
res.setHeader('Access-Control-Expose-Headers', 'X-Api-Version, X-Request-Id, X-Response-Time');
res.setHeader('Access-Control-Max-Age', '1000');
return next();
}
能够通过以下
解决 GET/POST 的 OPTIONS MethodNotAllowed 错误和 CORS 预检问题的 restify 问题
var server = restify.createServer({
name: "Test Server",
version: "2.0.1"
});
function corsHandler(req, res, next) {
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Headers', 'Origin, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, X-Response-Time, X-PINGOTHER, X-CSRF-Token,Authorization');
res.setHeader('Access-Control-Allow-Methods', '*');
res.setHeader('Access-Control-Expose-Headers', 'X-Api-Version, X-Request-Id, X-Response-Time');
res.setHeader('Access-Control-Max-Age', '1000');
return next();
}
function optionsRoute(req, res, next) {
res.send(200);
return next();
}
server.use(restify.CORS({
credentials: true, // defaults to false
methods: ['GET','PUT','DELETE','POST','OPTIONS']
}));
/*
routes and authentication handlers
*/
server.opts('/\.*/', corsHandler, optionsRoute);
server.listen(serverPort, function() {
var consoleMessage = '\n Test Server';
}
Restify 似乎直接移除了 CORS 支持,现在由插件处理,restify-cors-middleware。
我正在使用 restify 框架编写一个 nodejs api 应用程序。
我正在为跨域访问启用 cors。
restify配置如下代码:
var restify = require('restify'),
fs = require('fs');
var server = restify.createServer({
certificate: fs.readFileSync(__dirname + '/config/keys/myalcoholist/server.crt'),
key: fs.readFileSync(__dirname + '/config/keys/myalcoholist/server.key'),
name: 'MyAlcoholist',
});
function corsHandler(req, res, next) {
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Headers', 'Origin, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, X-Response-Time, X-PINGOTHER, X-CSRF-Token');
res.setHeader('Access-Control-Allow-Methods', '*');
res.setHeader('Access-Control-Expose-Headers', 'X-Api-Version, X-Request-Id, X-Response-Time');
res.setHeader('Access-Control-Max-Age', '1000');
return next();
}
function optionsRoute(req, res, next) {
res.send(200);
return next();
}
server.use(restify.bodyParser());
server.use(restify.CORS({
origins: ['http://127.0.0.1', 'https://myalcoholist.com', 'https://www.myalcoholist.com'], // defaults to ['*']
credentials: true, // defaults to false
headers: ['x-foo'], // sets expose-headers
methods: ['GET','PUT','DELETE','POST','OPTIONS']
}));
server.opts('/\.*/', corsHandler, optionsRoute);
server.listen(8888, function() {
console.log('%s listening at %s', server.name, server.url);
});
如您所见,我实现了一个 corsHandler 函数来处理 OPTIONS 请求。问题是我遇到的是,当我从 https://myalcoholist.com 访问此 nodejs api 时,我在 google chrome 浏览器中收到以下错误:
XMLHttpRequest cannot load https://myalcoholist.com:8888/cocktail/get_latest_drinks. Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response.
我为什么会收到这个错误有什么想法吗?
看来答案很简单,我需要在允许的headers上加上Authorization。所以我的 corsHandler 函数如下:
function corsHandler(req, res, next) {
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Headers', 'Origin, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, X-Response-Time, X-PINGOTHER, X-CSRF-Token,Authorization');
res.setHeader('Access-Control-Allow-Methods', '*');
res.setHeader('Access-Control-Expose-Headers', 'X-Api-Version, X-Request-Id, X-Response-Time');
res.setHeader('Access-Control-Max-Age', '1000');
return next();
}
能够通过以下
解决 GET/POST 的 OPTIONS MethodNotAllowed 错误和 CORS 预检问题的 restify 问题var server = restify.createServer({
name: "Test Server",
version: "2.0.1"
});
function corsHandler(req, res, next) {
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Headers', 'Origin, Accept, Accept-Version, Content-Length, Content-MD5, Content-Type, Date, X-Api-Version, X-Response-Time, X-PINGOTHER, X-CSRF-Token,Authorization');
res.setHeader('Access-Control-Allow-Methods', '*');
res.setHeader('Access-Control-Expose-Headers', 'X-Api-Version, X-Request-Id, X-Response-Time');
res.setHeader('Access-Control-Max-Age', '1000');
return next();
}
function optionsRoute(req, res, next) {
res.send(200);
return next();
}
server.use(restify.CORS({
credentials: true, // defaults to false
methods: ['GET','PUT','DELETE','POST','OPTIONS']
}));
/*
routes and authentication handlers
*/
server.opts('/\.*/', corsHandler, optionsRoute);
server.listen(serverPort, function() {
var consoleMessage = '\n Test Server';
}
Restify 似乎直接移除了 CORS 支持,现在由插件处理,restify-cors-middleware。