I'm trying to send a POST request to a separate subdomain via ajax. The preflight request (OPTIONS) is successful, but the following XMLHttpRequest request returns the "Origin http://app.example.com is not allowed by Access-Control-Allow-Origin."
The client side (app.example.com) code looks like this:
var settings = {
url: 'http://api.example.com/auth',
type: 'POST',
contentType: 'application/json',
crossDomain: true,
headers: {"X-Requested-With": "XMLHttpRequest"},
username: data.username,
success: callback,
error: callback
};
$.ajax(settings);
The server side code (api.example.com) looks like this:
$this->output->set_header('Content-Type: application/json; charset=utf-8');
$this->output->set_header('Access-Control-Allow-Origin: http://app.example.com');
$this->output->set_header('Access-Control-Allow-Methods: GET, PUT, POST, DELETE, HEAD, OPTIONS');
$this->output->set_header('Access-Control-Allow-Headers: X-Requested-With, Origin, X-Csrftoken, Content-Type, Accept');
$this->output->set_header('Access-Control-Allow-Credentials: true');
The OPTIONS request returns a 200 status. I'm hoping someone is able to tell me what I'm missing. Thanks!
解决方案
You need to either:
Remove the Access-Control-Allow-Credentials header entirely (This will not send any cookies on the request), or:
Add the following to your ajax request: xhrFields: { withCredentials: true },
The second option will include cookies on the request. See here for more details: jQuery: sending credentials with cross-domain posts?
You might want to try the first option first, just to make sure the cross-domain request is working, and then add the cookies after that (to make things easier to debug).
4739
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
