从 Drupal 8.2 开始,cors 设置位于核心位置。在我的services.yml
(and default.services.yml
)我有以下设置:
cors.config:
enabled: true
# Specify allowed headers, like 'x-allowed-header'.
allowedHeaders: ['x-csrf-token','authorization','content-type','accept','origin','x-requested-with']
# Specify allowed request methods, specify ['*'] to allow all possible ones.
allowedMethods: ['*']
# Configure requests allowed from specific origins.
allowedOrigins: ['*']
# Sets the Access-Control-Expose-Headers header.
exposedHeaders: false
# Sets the Access-Control-Max-Age header.
maxAge: 1000
# Sets the Access-Control-Allow-Credentials header.
supportsCredentials: true
我的域名a.com
htaccess 受密码保护。
在域上b.com
我尝试从域加载一些 APIa.com
:
$.ajaxSetup({
xhrField: {
withCredentials : true
},
beforeSend: function (xhr) {
xhr.setRequestHeader('Authorization', 'Basic Z2VuaXVzOmNvYXRpbmdz');
}
});
request = $.ajax({
url: apiBaseUrl + 'api/foobar',
dataType: 'json',
type: 'get',
password: 'foo',
username: 'bar'
});
在 chrome 中它工作正常,在 firefox 中我收到错误。请求标头:
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization
响应是 401“需要授权”,它表示请求方法是 OPTIONS(?)。
这里出了什么问题?
执行相同的请求insomnia https://insomnia.rest/工作得很好。