拒绝获取不安全标题“位置”

时间:2023-02-05 19:39:44

I have a website and my REST api server.

我有一个网站和我的REST api服务器。

I do ajax post request to the REST server to create new model. Answer for this request will be "HTTP/1.1 201 Created" response with header "Location: http://myapi.com/some/path/111" But I get error message Refused to get unsafe header "Location". I know that this is because of cross domain access policy and other bla bla bla.

我对REST服务器执行ajax post请求以创建新模型。这个请求的答案将是“HTTP/1.1 201创建的”带有header的响应“Location: http://myapi.com/some/path/111”,但是我收到的错误消息拒绝获取不安全的header“Location”。我知道这是因为跨域访问策略和其他bla bla。

Does anybody knows how to fix it? Maybe I have to add "Access-Controll-Allow-SOMETHINGHERE" header to the response?

有人知道怎么修理吗?也许我必须在响应中添加“access- controller - allow- somethinghere”头?

UPD:

乌利希期刊指南:

Web site URL http://www.mydomain.com/

Web站点URL http://www.mydomain.com/

Original URI is http://api.mydomain.com/model/ and new Location URI is http://api.mydomain.com/model/211

原始URI是http://api.mydomain.com/model/和新的位置URI是http://api.mydomain.com/model/211。

Original URI is used for ajax POST request, which responses with new Location header.

最初的URI用于ajax POST请求,它响应新的Location头。

4 个解决方案

#1


4  

It's because Location header is not exposed to calling client (in this case your ajax code) by default (it's 'unsafe'). To expose it you have to return additional header:

这是因为位置标头在默认情况下不公开给调用客户端(在本例中是ajax代码)(它是“不安全的”)。要公开它,你必须返回额外的标题:

Access-Control-Expose-Headers: Location

This way browser will expose it, so the client can read it. You can add there multiply comma separated headers. More about it here. Here you can read which methods, headers & content types are safe (simple) and don't require any additional configuration.

通过这种方式,浏览器将公开它,以便客户端可以读取它。你可以在上面添加逗号分隔的标题。更多关于这里。在这里,您可以阅读哪些方法、标题和内容类型是安全的(简单的),不需要任何额外的配置。

#2


1  

I'd just work around it, either by returning the new location as a value from the call or having the client code know where the newly created item is stored.

我只需要绕过它,要么将新位置作为调用的值返回,要么让客户端代码知道新创建的项存储在哪里。

Another option is to create a proxy for the calls on the original domain.

另一个选项是为原始域上的调用创建代理。

#3


0  

header Location: http://myapi.com/some/path/111"

That piece of code is completely wrong. Use it correct, or almost corret.

这段代码是完全错误的。正确使用它,或者几乎使用corret。

Try this:

试试这个:

header("Location: http://myapi.com/some/path/111");

or

header("Location: http://myapi.com/some/path/111"); exit();

If this not work, let me know :-)

如果这不起作用,让我知道:

#4


0  

For Amazon S3 uploads (via Dropzone for instance) you need this in your CORS configuration.

对于Amazon S3上传(例如通过Dropzone),您需要在CORS配置中使用它。

<ExposeHeader>location</ExposeHeader>

#1


4  

It's because Location header is not exposed to calling client (in this case your ajax code) by default (it's 'unsafe'). To expose it you have to return additional header:

这是因为位置标头在默认情况下不公开给调用客户端(在本例中是ajax代码)(它是“不安全的”)。要公开它,你必须返回额外的标题:

Access-Control-Expose-Headers: Location

This way browser will expose it, so the client can read it. You can add there multiply comma separated headers. More about it here. Here you can read which methods, headers & content types are safe (simple) and don't require any additional configuration.

通过这种方式,浏览器将公开它,以便客户端可以读取它。你可以在上面添加逗号分隔的标题。更多关于这里。在这里,您可以阅读哪些方法、标题和内容类型是安全的(简单的),不需要任何额外的配置。

#2


1  

I'd just work around it, either by returning the new location as a value from the call or having the client code know where the newly created item is stored.

我只需要绕过它,要么将新位置作为调用的值返回,要么让客户端代码知道新创建的项存储在哪里。

Another option is to create a proxy for the calls on the original domain.

另一个选项是为原始域上的调用创建代理。

#3


0  

header Location: http://myapi.com/some/path/111"

That piece of code is completely wrong. Use it correct, or almost corret.

这段代码是完全错误的。正确使用它,或者几乎使用corret。

Try this:

试试这个:

header("Location: http://myapi.com/some/path/111");

or

header("Location: http://myapi.com/some/path/111"); exit();

If this not work, let me know :-)

如果这不起作用,让我知道:

#4


0  

For Amazon S3 uploads (via Dropzone for instance) you need this in your CORS configuration.

对于Amazon S3上传(例如通过Dropzone),您需要在CORS配置中使用它。

<ExposeHeader>location</ExposeHeader>