发表新帖
发表新帖

Keep getting No 'Access-Control-Allow-Origin' error with XMLHttpRequest

后端 未结
关注
5 1032
被撕碎了的回忆
被撕碎了的回忆 2020-12-15 08:58

I would have solved this issue by using jQuery $.ajax function but in this case jQuery is not option. Instead I am going with CORS request. I feel there is so

相关标签:
5条回答
  • 灰色年华
    2020-12-15 09:07

    We see this a lot with OAuth2 integrations. We provide API services to our Customers, and they'll naively try to put their private key into an AJAX call. This is really poor security. And well-coded API Gateways, backends for frontend, and other such proxies, do not allow this. You should get this error.

    I will quote @aspillers comment and change a single word: "Access-Control-Allow-Origin is a header sent in a server response which indicates IF the client is allowed to see the contents of a result".

    ISSUE: The problem is that a developer is trying to include their private key inside a client-side (browser) JavaScript request. They will get an error, and this is because they are exposing their client secret.

    SOLUTION: Have the JavaScript web application talk to a backend service that holds the client secret securely. That backend service can authenticate the web app to the OAuth2 provider, and get an access token. Then the web application can make the AJAX call.

    0 讨论(0)
  • 暖寄归人
    2020-12-15 09:10

    Remove:

    httpRequest.setRequestHeader( 'Access-Control-Allow-Origin', '*');

    ... and add:

    httpRequest.withCredentials = false;
    0 讨论(0)
  • 小鲜肉
    2020-12-15 09:17

    In addition to your CORS issue, the server you are trying to access has HTTP basic authentication enabled. You can include credentials in your cross-domain request by specifying the credentials in the URL you pass to the XHR:

    url = 'http://username:password@test.testhost.com/testpage'
    0 讨论(0)
  • 遥遥无期
    2020-12-15 09:19

    Your server's response allows the request to include three specific non-simple headers:

    Access-Control-Allow-Headers:origin, x-requested-with, content-type

    but your request has a header not allowed by the server's response:

    Access-Control-Request-Headers:access-control-allow-origin, content-type

    All non-simple headers sent in a CORS request must be explicitly allowed by the Access-Control-Allow-Headers response header. The unnecessary Access-Control-Allow-Origin header sent in your request is not allowed by the server's CORS response. This is exactly what the "...not allowed by Access-Control-Allow-Headers" error message was trying to tell you.

    There is no reason for the request to have this header: it does nothing, because Access-Control-Allow-Origin is a response header, not a request header.

    Solution: Remove the setRequestHeader call that adds a Access-Control-Allow-Origin header to your request.

    0 讨论(0)
  • 野性不改
    2020-12-15 09:23

    Enable CORS on backend server or add chrome extensions https://chrome.google.com/webstore/search/CORS?utm_source=chrome-ntp-icon and make ON

    0 讨论(0)
 看不清?
提交回复
热议问题