从 ExtJS 请求到 node.js 时出现 CORS 问题。请求或响应 Header 不正确?
CORS Issue When Requesting from ExtJS to node.js. Request or Response Header Incorrect?
我在向网络中两个不同域之间的 Nodejs 服务器发出 ExtJS AJAX 请求时遇到问题,我将不胜感激任何帮助。当从 ExtJS 客户端尝试从 http 和 https 尝试时,响应失败,但通过 http returns 200 OK 从我的本地卷曲,数据正确。我们正在处理内容类型 application/json.
ExtJS onReady 函数已启用 CORS:
Ext.onReady(function () {
Ext.Ajax.cors = true;
Ext.Ajax.useDefaultXhrHeader = false;
... (code removed)
})
我的 ExtJS 客户端在已知工作 URL 上进行的测试将正确创建 ExtJS 数据存储(返回 200 OK):
Ext.create('Ext.data.Store', {
id : 'countryStore',
model : 'country',
autoLoad : true,
autoDestroy: true,
proxy: {
type: 'rest',
url : 'https://restcountries.eu/rest/v1/all',
},
reader: {
type : 'json',
headers: {'Accept': 'application/json'},
totalProperty : 'total',
successProperty: 'success',
messageProperty: 'message'
}
});
但是,当尝试通过
向我们的 Nodejs 服务器发出请求时
http:
Ext.create('Ext.data.Store', {
id : 'circuits',
model : 'circuit',
autoLoad : true,
autoDestroy: true,
proxy: {
type: 'rest',
url : 'http://ourNodeJsServerDomain:5500/v3/circuits',
},
reader: {
type : 'json',
headers: {'Accept': 'application/json'},
totalProperty : 'total',
successProperty: 'success',
messageProperty: 'message'
}
});
returns Chrome 控制台中的以下内容:
Mixed Content: The page at 'https://ourExtJsDevClientSide' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://ourNodeJsServerDomain:5500/v3/circuits?_dc=1430149427032&page=1&start=0&limit=50'. This request has been blocked; the content must be served over HTTPS.
现在,当尝试超过 https 时:
Firefox 显示:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://ourNodeJsServerDomain:5500/v3/circuits?_dc=1430151516741&page=1&start=0&limit=50. This can be fixed by moving the resource to the same domain or enabling CORS.
并且请求 Header 没有显示 "application/json",这是一个问题吗?:
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding
gzip, deflate
Accept-Language
en-US,en;q=0.5
Host
ourNodeJsServerDomain:5500
Origin
https://ourExtJsDevClientSide
Referer
https://ourExtJsDevClientSide
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
然后我尝试使用 Curl 来查看有助于调试的响应
on http 给出了 200 OK 响应,但 Access-Control-Allow-Origin 未定义,即使我们将其定义为 "*":
curl http://ourNodeJsServerDomain:5500/v3circuits?_limit=1 -v
> GET /v3/circuits?_limit=1 HTTP/1.1
> User-Agent: curl/7.37.1
> Host: ourNodeJsServerDomain:5500
> Accept: */*
>
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Access-Control-Allow-Origin: undefined
< Access-Control-Allow-Methods: GET
< Access-Control-Allow-Headers: Content-Type
< Content-Type: application/json; charset=utf-8
< Content-Length: 1126
< ETag: W/"MlbRIlFPCV6w7+PmPoVYiA=="
< Date: Mon, 27 Apr 2015 16:24:18 GMT
< Connection: keep-alive
<
[
{ *good json data returned here* } ]
然后当我尝试通过 https
卷曲时
curl https://ourNodeJsServerDomain:5500/v3/circuits?_limit=1 -v
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
我们已经在我们的 Nodejs 服务器上启用了 CORS:
router
.all('*', function(req, res, next){
res.setHeader('Content-Type', 'application/json');
// res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
// console.log('\n\nreq.headers.origin ===================== ' + req.headers.origin);
//I have tried allowing all * via res.SetHeader and res.header and neither is defining the Access-Control-Allow-Origin properly when curling
//res.setHeader("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Origin", "*");
// res.header("Access-Control-Allow-Headers", "X-Requested-With");
res.header('Access-Control-Allow-Methods', 'GET');
res.header('Access-Control-Allow-Headers', 'Content-Type');
我已经尝试详细说明我的思考过程,我愿意尝试新的方法来确定如何理解和解决这个问题。
* 解决方案 *
问题是来自浏览器的混合内容。我们的客户端 UI 使用 https(安全),而我们从 nodejs 服务器请求 http(不安全)内容。我们需要允许我们的 nodejs 服务器在 https
上 运行
我们 generated SSL certifications 并将它们实现到我们的 nodejs 服务器上。
在 nodejs 代码中,我们使用 CORS 模块启用了 CORS,并且 运行 同时连接 http 和 https 服务器:
// enable CORS for all requests
var cors = require('cors');
app.use(cors());
// for certifications
var credentials = {
key: fs.readFileSync('our.key'),
cert: fs.readFileSync('our.crt')
};
var httpServer = http.createServer(app);
var httpsServer = https.createServer(credentials, app);
httpServer.listen(port, function() {
console.log('HTTP server listening on port ' + port);
});
httpsServer.listen(httpsPort, function() {
console.log('HTTPS server listening on port ' + httpsPort);
});
您的服务器中的 CORS 和 HTTPS 似乎都存在问题...您应该尝试 this middleware for the CORS part, and make it work when accessing the page in raw HTTP first. As far as I know, you'll have to use different ports for HTTP and HTTPS. And you will also probably need to enable CORS credentials。正如我所说,我认为您最好先让它在 HTTP 中运行 ;)
然后,在 Ext 部分,正如评论中已经提到的,您可能应该禁用默认值 headers(或者您必须让服务器接受所有这些;请参阅对 this answer). But you need to do that on the proxy, because apparently it replaces the global setting 在 Ext.Ajax.
所以,像这样:
Ext.create('Ext.data.Store', {
id : 'countryStore',
model : 'country',
autoLoad : true,
autoDestroy: true,
proxy: {
type: 'rest',
url : 'https://restcountries.eu/rest/v1/all',
useDefaultXhrHeader: false, // <= HERE
reader: {
type : 'json',
headers: {'Accept': 'application/json'},
totalProperty : 'total',
successProperty: 'success',
messageProperty: 'message'
}
} // <= and notice this change
});
可能不相关,但请注意您的缩进不正确并隐藏了 reader 选项应用于商店本身而不是代理(因此被忽略)的事实。
我在向网络中两个不同域之间的 Nodejs 服务器发出 ExtJS AJAX 请求时遇到问题,我将不胜感激任何帮助。当从 ExtJS 客户端尝试从 http 和 https 尝试时,响应失败,但通过 http returns 200 OK 从我的本地卷曲,数据正确。我们正在处理内容类型 application/json.
ExtJS onReady 函数已启用 CORS:
Ext.onReady(function () {
Ext.Ajax.cors = true;
Ext.Ajax.useDefaultXhrHeader = false;
... (code removed)
})
我的 ExtJS 客户端在已知工作 URL 上进行的测试将正确创建 ExtJS 数据存储(返回 200 OK):
Ext.create('Ext.data.Store', {
id : 'countryStore',
model : 'country',
autoLoad : true,
autoDestroy: true,
proxy: {
type: 'rest',
url : 'https://restcountries.eu/rest/v1/all',
},
reader: {
type : 'json',
headers: {'Accept': 'application/json'},
totalProperty : 'total',
successProperty: 'success',
messageProperty: 'message'
}
});
但是,当尝试通过
向我们的 Nodejs 服务器发出请求时http:
Ext.create('Ext.data.Store', {
id : 'circuits',
model : 'circuit',
autoLoad : true,
autoDestroy: true,
proxy: {
type: 'rest',
url : 'http://ourNodeJsServerDomain:5500/v3/circuits',
},
reader: {
type : 'json',
headers: {'Accept': 'application/json'},
totalProperty : 'total',
successProperty: 'success',
messageProperty: 'message'
}
});
returns Chrome 控制台中的以下内容:
Mixed Content: The page at 'https://ourExtJsDevClientSide' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://ourNodeJsServerDomain:5500/v3/circuits?_dc=1430149427032&page=1&start=0&limit=50'. This request has been blocked; the content must be served over HTTPS.
现在,当尝试超过 https 时:
Firefox 显示:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://ourNodeJsServerDomain:5500/v3/circuits?_dc=1430151516741&page=1&start=0&limit=50. This can be fixed by moving the resource to the same domain or enabling CORS.
并且请求 Header 没有显示 "application/json",这是一个问题吗?:
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding
gzip, deflate
Accept-Language
en-US,en;q=0.5
Host
ourNodeJsServerDomain:5500
Origin
https://ourExtJsDevClientSide
Referer
https://ourExtJsDevClientSide
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
然后我尝试使用 Curl 来查看有助于调试的响应
on http 给出了 200 OK 响应,但 Access-Control-Allow-Origin 未定义,即使我们将其定义为 "*":
curl http://ourNodeJsServerDomain:5500/v3circuits?_limit=1 -v
> GET /v3/circuits?_limit=1 HTTP/1.1
> User-Agent: curl/7.37.1
> Host: ourNodeJsServerDomain:5500
> Accept: */*
>
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Access-Control-Allow-Origin: undefined
< Access-Control-Allow-Methods: GET
< Access-Control-Allow-Headers: Content-Type
< Content-Type: application/json; charset=utf-8
< Content-Length: 1126
< ETag: W/"MlbRIlFPCV6w7+PmPoVYiA=="
< Date: Mon, 27 Apr 2015 16:24:18 GMT
< Connection: keep-alive
<
[
{ *good json data returned here* } ]
然后当我尝试通过 https
curl https://ourNodeJsServerDomain:5500/v3/circuits?_limit=1 -v
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
我们已经在我们的 Nodejs 服务器上启用了 CORS:
router
.all('*', function(req, res, next){
res.setHeader('Content-Type', 'application/json');
// res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
// console.log('\n\nreq.headers.origin ===================== ' + req.headers.origin);
//I have tried allowing all * via res.SetHeader and res.header and neither is defining the Access-Control-Allow-Origin properly when curling
//res.setHeader("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Origin", "*");
// res.header("Access-Control-Allow-Headers", "X-Requested-With");
res.header('Access-Control-Allow-Methods', 'GET');
res.header('Access-Control-Allow-Headers', 'Content-Type');
我已经尝试详细说明我的思考过程,我愿意尝试新的方法来确定如何理解和解决这个问题。
* 解决方案 *
问题是来自浏览器的混合内容。我们的客户端 UI 使用 https(安全),而我们从 nodejs 服务器请求 http(不安全)内容。我们需要允许我们的 nodejs 服务器在 https
上 运行我们 generated SSL certifications 并将它们实现到我们的 nodejs 服务器上。
在 nodejs 代码中,我们使用 CORS 模块启用了 CORS,并且 运行 同时连接 http 和 https 服务器:
// enable CORS for all requests
var cors = require('cors');
app.use(cors());
// for certifications
var credentials = {
key: fs.readFileSync('our.key'),
cert: fs.readFileSync('our.crt')
};
var httpServer = http.createServer(app);
var httpsServer = https.createServer(credentials, app);
httpServer.listen(port, function() {
console.log('HTTP server listening on port ' + port);
});
httpsServer.listen(httpsPort, function() {
console.log('HTTPS server listening on port ' + httpsPort);
});
您的服务器中的 CORS 和 HTTPS 似乎都存在问题...您应该尝试 this middleware for the CORS part, and make it work when accessing the page in raw HTTP first. As far as I know, you'll have to use different ports for HTTP and HTTPS. And you will also probably need to enable CORS credentials。正如我所说,我认为您最好先让它在 HTTP 中运行 ;)
然后,在 Ext 部分,正如评论中已经提到的,您可能应该禁用默认值 headers(或者您必须让服务器接受所有这些;请参阅对 this answer). But you need to do that on the proxy, because apparently it replaces the global setting 在 Ext.Ajax.
所以,像这样:
Ext.create('Ext.data.Store', {
id : 'countryStore',
model : 'country',
autoLoad : true,
autoDestroy: true,
proxy: {
type: 'rest',
url : 'https://restcountries.eu/rest/v1/all',
useDefaultXhrHeader: false, // <= HERE
reader: {
type : 'json',
headers: {'Accept': 'application/json'},
totalProperty : 'total',
successProperty: 'success',
messageProperty: 'message'
}
} // <= and notice this change
});
可能不相关,但请注意您的缩进不正确并隐藏了 reader 选项应用于商店本身而不是代理(因此被忽略)的事实。