class MiddlewareHandler(RequestHandler): def set_default_headers(self): # print("setting headers!!!") self.set_header("Access-Control-Allow-Origin", "*") self.set_header('Access-Control-Allow-Methods', 'POST, GET, OPTIONS, DELETE, PUT') self.set_header("Access-Control-Allow-Headers", "token, content-type, user-token")
報錯信息一:
Access to XMLHttpRequest at 'http://localhost:4445/api/v/getmsg' from origin 'http://localhost:9528' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
解決: 將設置的響應頭 "Access-Control-Allow-Origin" 修改為特定的域名, 不能使用 "*"
報錯信息二:
Access to XMLHttpRequest at 'http://localhost:4445/api/v/getmsg' from origin 'http://localhost:9528' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
解決: 增加一行配置, "Access-Control-Allow-Credentials" value="true"
報錯信息三:
Access to XMLHttpRequest at 'http://localhost:4445/api/v/getmsg' from origin 'http://localhost:9528' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
原因:
瀏覽器請求接口時會發送兩個請求,一個是預請求,相當於確認請求(OPTIONS),第二個請求才是你要發送的真正的請求,而這個錯誤信息說明的是第一個OPTINOS請求失敗,在服務端沒有處理這個method為OPTIONS的請求,需要對它處理一下, 服務端只需要再寫一個options 方法, 並且返回200狀態碼即可。
第一種:No 'Access-Control-Allow-Origin' header is present on the requested resource,並且The response had HTTP status code 404
XMLHttpRequest cannot load http://b.domain.com, Response to preflinght request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://a.domain.com' is therefore not allowed access. The Response had HTTP status code 404. ps.並且The response had HTTP status code 404
問題原因:服務器端后台沒有允許OPTIONS請求
第二種:No 'Access-Control-Allow-Origin' header is present on the requested resource,並且The response had HTTP status code 405
XMLHttpRequest cannot load http://b.domain.com, Response to preflinght request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://a.domain.com' is therefore not allowed access. The Response had HTTP status code 405. ps.並且The response had HTTP status code 405
問題原因:服務器端后台允許了OPTIONS請求,但是某些安全配置阻止了OPTIONS請求
第三種:No 'Access-Control-Allow-Origin' header is present on the requested resource,並且The response had HTTP status code 200
XMLHttpRequest cannot load http://b.domain.com, Response to preflinght request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://a.domain.com' is therefore not allowed access. ps.並且The response had HTTP status code 200
問題原因:服務器端后台允許了OPTIONS請求,並且OPTIONS請求沒有被阻止,但是頭部不匹配。
第四種:heade contains multiple values '*,*',並且The response had HTTP status code 200
XMLHttpRequestcannot load http://b.domain.com. The 'Access-Control-Allow-Origin' header contains multiple values'*, *', but only one is allowed. Origin 'http://a.domain.com' is therefore notallowed access. ps.並且The response had HTTP status code 200
問題原因:設置多次Access-Control-Allow-Origin=*,可能是配置的人對CORS實現原理和機制不了解導致。